CVE-2026-39687
Missing Authorization in Rapid Car Check Vehicle Data
Publication date: 2026-04-08
Last updated on: 2026-04-29
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rapid_car_check | vehicle_data | to 2.0 (inc) |
| patchstack | free_vehicle_data_uk | to 2.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability involves missing authorization and broken access control, which can allow unauthorized users to perform privileged actions. Such security flaws can potentially lead to unauthorized access to sensitive data.
While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, broken access control vulnerabilities generally pose risks to data confidentiality and integrity, which are critical requirements under these regulations.
Therefore, if exploited, this vulnerability could negatively impact compliance with data protection regulations by exposing sensitive personal or health information without proper authorization.
Can you explain this vulnerability to me?
CVE-2026-39687 is a Broken Access Control vulnerability in the WordPress Rapid Car Check Vehicle Data Plugin versions up to and including 2.0. It involves missing authorization, authentication, or nonce token checks within certain plugin functions. This flaw allows unauthenticated users to perform actions that normally require higher privileges.
This vulnerability falls under the OWASP Top 10 category A1: Broken Access Control.
How can this vulnerability impact me? :
The vulnerability allows unauthorized users to perform privileged actions without proper authentication or authorization. This can lead to unauthorized access or manipulation of data or functions within the plugin.
Although the CVSS severity score is 5.3, indicating low severity and low priority, such vulnerabilities are often targeted in mass-exploit campaigns affecting many websites indiscriminately.
No official patch is currently available, so immediate mitigation involves updating the plugin if possible or seeking assistance from hosting providers or web developers.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves updating the affected plugin if possible.
If updating is not possible, users are advised to seek assistance from their hosting provider or web developer.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves missing authorization checks in the Rapid Car Check Vehicle Data WordPress plugin versions up to 2.0, allowing unauthenticated users to perform privileged actions.
To detect this vulnerability on your system, you can check if the affected plugin version (up to 2.0) is installed and active on your WordPress site.
Since this is a WordPress plugin vulnerability, detection commands would focus on identifying the plugin version and testing access control on plugin endpoints.
- Use WP-CLI to check the installed plugin version: wp plugin list --status=active
- Manually verify the plugin version in the WordPress admin dashboard under Plugins.
- Attempt to access plugin-specific URLs or API endpoints without authentication to see if unauthorized access is possible.
- Use curl or similar tools to test access control, for example: curl -I http://yourwordpresssite.com/wp-content/plugins/free-vehicle-data-uk/some_endpoint
No specific detection commands or scripts are provided in the available resources.