CVE-2026-57634
Deferred Deferred - Pending Action

Contributor IDOR in PPWP Plugin <= 1.9.19

Vulnerability report for CVE-2026-57634, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: Patchstack

Description

Contributor Insecure Direct Object References (IDOR) in PPWP <= 1.9.19 versions.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-07-16
AI Q&A
2026-06-26
EPSS Evaluated
2026-07-15
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
patchstack ppwp_plugin to 1.9.19 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The WordPress PPWP Plugin, versions 1.9.19 and below, has an Insecure Direct Object References (IDOR) vulnerability, which is a type of broken access control issue.

This vulnerability allows attackers with low-level privileges, such as contributors, to bypass authorization and access sensitive files, folders, or interact with the database.

It is classified as a low severity risk with a CVSS score of 4.3 and falls under the OWASP Top 10 category A1: Broken Access Control.

Detection Guidance

This vulnerability affects the WordPress PPWP Plugin versions 1.9.19 and below, allowing low-privilege users to bypass authorization via Insecure Direct Object References (IDOR). Detection involves verifying the plugin version installed on your WordPress site.

To detect if your system is vulnerable, you can check the installed version of the PPWP plugin. If it is version 1.9.19 or lower, your system is vulnerable.

Suggested commands to check the plugin version on your server include:

  • Navigate to the WordPress plugins directory, usually at wp-content/plugins/ppwp_plugin/
  • Use a command like `cat readme.txt | grep 'Stable tag'` or `grep 'Version' ppwp_plugin.php` to find the plugin version.
  • Alternatively, use WP-CLI to check the plugin version: `wp plugin get ppwp_plugin --field=version`

If the version is 1.9.19 or below, the plugin is vulnerable and should be updated immediately to version 1.9.20 or later.

Impact Analysis

This vulnerability can allow attackers with low-level privileges to bypass authorization controls and gain unauthorized access to sensitive files, folders, or database interactions.

Although the risk is considered low severity, it could be exploited in mass campaigns targeting thousands of websites, potentially leading to data exposure or unauthorized modifications.

Compliance Impact

The vulnerability is an Insecure Direct Object References (IDOR) issue that allows low-privilege users to bypass authorization and access sensitive files, folders, or database interactions.

Such unauthorized access to sensitive data could potentially lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict access controls to protect personal and sensitive information.

Although the CVSS score is low severity (4.3), exploitation in mass campaigns could increase the risk of data exposure, thereby impacting compliance with these standards.

Mitigation Strategies

The vulnerability affects WordPress PPWP Plugin versions 1.9.19 and below. The immediate step to mitigate this vulnerability is to update the plugin to version 1.9.20 or later, which contains the patch that resolves the issue.

Alternatively, users can seek assistance from their hosting provider or developer to apply the necessary fixes.

If you are a Patchstack user, enabling auto-updates for vulnerable plugins is recommended to ensure timely patching.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57634. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart