CVE-2026-39433
Deferred Deferred - Pending Action
BaseFortify

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: Patchstack

Description
Subscriber Arbitrary Content Deletion in WPAMS < 49.5.3 versions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-17
AI Q&A
2026-06-17
EPSS Evaluated
N/A
NVD
CVE-2026-39433
EUVD
EUVD-2026-37468
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
patchstack wpams_plugin to 49.5.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The WordPress WPAMS Plugin, versions below 49.5.3, contains an Arbitrary Content Deletion vulnerability. This flaw allows malicious users with subscriber-level access to delete website content such as posts, pages, or images. It is classified as a medium-priority security risk with a CVSS score of 6.5 and falls under the OWASP Top 10 category of Broken Access Control.

Impact Analysis

This vulnerability can lead to unauthorized deletion of website content by users who should only have limited subscriber access. Such content deletion can disrupt website operations, cause data loss, and damage the website's reputation. It could also be exploited in large-scale attacks targeting many websites simultaneously.

Detection Guidance

The vulnerability allows malicious actors with subscriber-level access to delete content such as posts, pages, or images from a website. Detection would involve monitoring for unusual or unauthorized content deletions within the WordPress site using the WPAMS plugin versions below 49.5.3.

Specific commands or network detection methods are not provided in the available resources. However, monitoring WordPress logs for deletion events initiated by subscriber-level users could help identify exploitation attempts.

Mitigation Strategies

Immediate action is recommended to update the WPAMS plugin to version 49.5.3 or later, which contains the fix for this Arbitrary Content Deletion vulnerability.

If updating the plugin is not possible immediately, users should seek assistance from their hosting provider or web developer.

Additionally, Patchstack has provided a mitigation rule to block attacks targeting this vulnerability until the plugin can be updated.

Compliance Impact

The vulnerability allows subscriber-level users to delete arbitrary content such as posts, pages, or images from a website, which represents a Broken Access Control issue.

Such unauthorized content deletion could impact data integrity and availability, potentially affecting compliance with standards and regulations that require protection of data and content, such as GDPR and HIPAA.

However, the provided information does not explicitly detail the direct effects on compliance with these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39433. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart