CVE-2026-39680
Missing Authorization in MWP Diet Calorie Calculator Allows Unauthorized Access
Publication date: 2026-04-08
Last updated on: 2026-04-29
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mwp_development | diet_calorie_calculator | to 1.1.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-39680 is a Broken Access Control vulnerability in the WordPress Diet Calorie Calculator Plugin versions up to and including 1.1.1.
This vulnerability arises from missing authorization, authentication, or nonce token checks, which allows unauthenticated users to perform actions that should be restricted to higher privileged users.
It is classified as an OWASP Top 10 A1 issue and requires no privileges to exploit.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The CVE-2026-39680 vulnerability is a Broken Access Control issue that allows unauthenticated users to perform actions reserved for higher privileged users due to missing authorization checks.
Such unauthorized access could potentially lead to unauthorized data exposure or modification, which may impact compliance with standards and regulations like GDPR or HIPAA that require strict access controls to protect personal and sensitive data.
However, the provided information does not explicitly state the direct effects on compliance with these regulations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The CVE-2026-39680 vulnerability is a Broken Access Control issue in the WordPress Diet Calorie Calculator Plugin up to version 1.1.1, allowing unauthenticated users to perform privileged actions. Detection involves checking if the vulnerable plugin version is installed and monitoring for unauthorized access attempts.
To detect this vulnerability on your system, you can first verify the plugin version installed on your WordPress site by running commands to list installed plugins and their versions.
- Use WP-CLI to check the plugin version: `wp plugin list | grep diet-calorie-calculator`
- Inspect web server logs for suspicious unauthenticated requests attempting to access or modify plugin functionality.
- Use network monitoring tools to detect unusual HTTP requests targeting the Diet Calorie Calculator plugin endpoints.
Since the vulnerability allows unauthenticated exploitation, monitoring for unexpected POST or GET requests to plugin-specific URLs without proper authorization can help identify exploitation attempts.
How can this vulnerability impact me? :
This vulnerability allows unauthenticated users to perform privileged actions on affected websites using the Diet Calorie Calculator Plugin.
Although the CVSS score is 5.3 indicating low severity, it can be exploited in mass-exploit campaigns targeting many websites indiscriminately.
If exploited, it could lead to unauthorized changes or access within the plugin's functionality, potentially compromising site integrity or user data.
Immediate mitigation involves updating the plugin or seeking assistance from hosting providers or web developers.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation involves updating the affected Diet Calorie Calculator plugin to a fixed version if available.
If updating is not possible, users are advised to seek assistance from their hosting provider or web developer to implement protective measures.
Since no official patch is currently available, rapid mitigation services from Patchstack may be considered.