Executive Summary

CVE-2026-39655 is a Broken Access Control vulnerability in the WordPress Mayosis Core Plugin versions 5.4.7 and below. It occurs because of missing authorization, authentication, or nonce token checks, which allows unauthenticated users to perform actions that should require higher privileges.

This means that the plugin incorrectly configures access control security levels, enabling attackers to exploit these weaknesses to bypass restrictions.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability is a Missing Authorization issue leading to Broken Access Control, which can allow unauthorized users to perform higher-privileged actions.

Such access control weaknesses can potentially impact compliance with standards like GDPR and HIPAA, which require strict access controls to protect sensitive data.

However, the provided information does not explicitly state the direct impact on compliance with these regulations.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability allows unauthenticated users to perform higher-privileged actions, which can lead to unauthorized changes or access within the affected WordPress site.

However, the risk of exploitation is considered low and the severity is rated as low (CVSS score 5.3). There is no indication of mass exploitation campaigns currently.

Despite the low severity, it is recommended to take immediate action such as updating the plugin or consulting with a hosting provider or web developer to mitigate potential risks.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate action is recommended to mitigate this vulnerability despite its low severity.

• Update the Mayosis Core plugin to a version above 5.4.7 once available.
• Seek assistance from your hosting provider or a web developer to implement proper access control measures.

Useful 0 Not Useful 0