CVE-2026-27395
Deferred Deferred - Pending Action
BaseFortify

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: Patchstack

Description
Unauthenticated Privilege Escalation in Support Board < 3.8.9 versions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-17
AI Q&A
2026-06-17
EPSS Evaluated
N/A
NVD
CVE-2026-27395
EUVD
EUVD-2026-37463
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
patchstack support_board_plugin to 3.8.9 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-27395 is a high-priority privilege escalation vulnerability in the WordPress Support Board Plugin versions prior to 3.8.9.

This flaw allows unauthenticated attackers to escalate their low-privilege accounts to higher privilege levels, potentially gaining full control of the affected website.

It is categorized under OWASP Top 10 category A7 (Identification and Authentication Failures).

Impact Analysis

The vulnerability can allow attackers to gain unauthorized elevated privileges on your website without authentication.

This could lead to full control over the affected website, including the ability to modify content, steal data, or disrupt services.

It is actively exploited in mass campaigns targeting thousands of websites, making immediate mitigation critical.

Detection Guidance

CVE-2026-27395 affects WordPress sites using the Support Board Plugin versions prior to 3.8.9 and allows unauthenticated privilege escalation.

Detection can involve checking the plugin version installed on your WordPress site to confirm if it is below 3.8.9.

Since the vulnerability is actively exploited in mass campaigns, monitoring web server logs for suspicious requests targeting the Support Board Plugin endpoints may help identify exploitation attempts.

Patchstack has provided a mitigation rule to block attacks until the update is applied, which may include detection signatures or firewall rules.

Specific commands are not provided in the available resources.

Mitigation Strategies

The immediate and recommended step to mitigate CVE-2026-27395 is to update the WordPress Support Board Plugin to version 3.8.9 or later.

Until the update can be applied, Patchstack has provided a mitigation rule to block attacks targeting this vulnerability.

Applying this mitigation rule can help protect your site from active exploitation campaigns.

Compliance Impact

CVE-2026-27395 is a critical privilege escalation vulnerability that allows unauthenticated attackers to gain higher privileges and potentially full control over affected websites. Such unauthorized access and control can lead to data breaches, unauthorized data modification, and loss of data integrity and availability.

Because of these risks, this vulnerability can negatively impact compliance with common standards and regulations such as GDPR and HIPAA, which require strict controls over access to sensitive data and systems, as well as measures to prevent unauthorized access and ensure data confidentiality, integrity, and availability.

Organizations using vulnerable versions of the Support Board plugin should urgently update to version 3.8.9 or later to mitigate these risks and help maintain compliance with such regulatory requirements.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27395. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart