CVE-2026-39699
Missing Authorization in AI Workflow Automation β€1.4.2 Enables Unauthorized Access
Publication date: 2026-04-08
Last updated on: 2026-04-13
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| massiveshift | ai_workflow_automation_lite | to 1.4.2 (inc) |
| patchstack | ai_workflow_automation_lite | to 1.4.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability involves Broken Access Control due to missing authorization checks, which could potentially allow unauthorized users to perform privileged actions.
Such unauthorized access risks violating data protection principles embedded in standards like GDPR and HIPAA, which require strict access controls to protect personal and sensitive data.
However, the provided information does not explicitly state the direct impact of this vulnerability on compliance with these regulations.
Can you explain this vulnerability to me?
CVE-2026-39699 is a Broken Access Control vulnerability found in the WordPress AI Workflow Automation Plugin versions up to and including 1.4.2.
The issue arises from missing authorization, authentication, or nonce token checks within certain plugin functions, which means that unauthenticated users can perform actions that should be restricted to higher privileged users.
This vulnerability is classified under the OWASP Top 10 category A1: Broken Access Control and has a CVSS severity score of 5.3, indicating a low priority threat.
How can this vulnerability impact me? :
Because the vulnerability allows unauthenticated users to perform privileged actions, it can lead to unauthorized access or manipulation of the AI Workflow Automation plugin's functions.
Although the risk is considered low and exploitation is unlikely, attackers could leverage this vulnerability in mass-exploit campaigns targeting many websites indiscriminately.
The vulnerability requires no privileges to exploit, which increases its potential impact despite the low severity rating.
Immediate mitigation involves updating the affected plugin to a non-vulnerable version once available or seeking assistance from hosting providers or web developers if updating is not feasible.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability arises from missing authorization, authentication, or nonce token checks within certain plugin functions of the AI Workflow Automation Plugin up to version 1.4.2.
Detection typically involves checking for unauthorized access attempts or unusual activity targeting the plugin's endpoints or functions.
Since no specific detection commands or signatures are provided, monitoring web server logs for suspicious requests to the AI Workflow Automation plugin paths or functions may help identify exploitation attempts.
Additionally, scanning the installed plugin version to confirm if it is version 1.4.2 or earlier can help determine vulnerability presence.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves updating the AI Workflow Automation Plugin to a non-vulnerable version once it becomes available.
If updating is not feasible, seek assistance from hosting providers or web developers to implement temporary access control measures or restrictions.
Monitoring and restricting access to the plugin's functions to trusted users only can reduce the risk of exploitation.
Patchstack emphasizes rapid vulnerability mitigation and provides security intelligence and tools to protect WordPress sites.