CVE-2026-40742
Missing Authorization in Nelio AB Testing Plugin
Publication date: 2026-04-15
Last updated on: 2026-04-29
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nelio_software | nelio_ab_testing | to 8.2.8 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-40742 is a vulnerability in the WordPress Nelio AB Testing Plugin versions up to and including 8.2.8. It is classified as a Sensitive Data Exposure issue caused by missing authorization, which means that unauthenticated attackers can access sensitive information that should normally be restricted.
This vulnerability arises from incorrectly configured access control security levels, allowing attackers to bypass authorization checks and view sensitive data without needing any privileges.
The issue has been fixed in version 8.3.0 of the plugin, and users are strongly advised to update to this version to mitigate the risk.
How can this vulnerability impact me? :
This vulnerability can allow unauthorized, unauthenticated attackers to view sensitive data that should be protected. Such exposure can lead to further exploitation of other system weaknesses.
Although the severity is considered low (CVSS score 5.3) and exploitation is unlikely, the vulnerability is significant enough to be targeted in mass-exploit campaigns affecting many websites regardless of their popularity or traffic.
If exploited, it could compromise the confidentiality of sensitive information, potentially leading to data breaches or other security incidents.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability allows unauthenticated attackers to access sensitive information via the WordPress Nelio AB Testing Plugin versions up to 8.2.8. Detection would involve checking the plugin version installed on your WordPress site.
You can detect if your system is vulnerable by verifying the plugin version. For example, you can use WP-CLI commands to list installed plugins and their versions.
- wp plugin list --field=name,version | grep nelio-ab-testing
If the version is less than or equal to 8.2.8, your system is vulnerable. Additionally, monitoring web server logs for unusual unauthenticated access attempts to Nelio AB Testing plugin endpoints may help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary and recommended immediate step to mitigate this vulnerability is to update the Nelio AB Testing plugin to version 8.3.0 or later, where the issue is patched.
If an immediate update is not possible, users should seek assistance from their hosting provider or web developer to apply temporary mitigation measures or enable auto-updates for the plugin.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to access sensitive information that is normally restricted, which constitutes Sensitive Data Exposure.
Exposure of sensitive data can potentially lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require strict controls over access to personal and sensitive information.
Although the CVSS score indicates a low severity impact and exploitation is considered unlikely, the unauthorized viewing of sensitive data could still pose risks to compliance by violating confidentiality requirements.
Therefore, organizations using the affected plugin versions should update to the patched version 8.3.0 promptly to mitigate risks related to regulatory compliance.