CVE-2026-57634
Deferred Deferred - Pending Action
Contributor IDOR in PPWP Plugin <= 1.9.19

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: Patchstack

Description
Contributor Insecure Direct Object References (IDOR) in PPWP <= 1.9.19 versions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-26
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-57634
EUVD
EUVD-2026-39750
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
patchstack ppwp_plugin to 1.9.19 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The WordPress PPWP Plugin, versions 1.9.19 and below, has an Insecure Direct Object References (IDOR) vulnerability, which is a type of broken access control issue.

This vulnerability allows attackers with low-level privileges, such as contributors, to bypass authorization and access sensitive files, folders, or interact with the database.

It is classified as a low severity risk with a CVSS score of 4.3 and falls under the OWASP Top 10 category A1: Broken Access Control.

Impact Analysis

This vulnerability can allow attackers with low-level privileges to bypass authorization controls and gain unauthorized access to sensitive files, folders, or database interactions.

Although the risk is considered low severity, it could be exploited in mass campaigns targeting thousands of websites, potentially leading to data exposure or unauthorized modifications.

Mitigation Strategies

The vulnerability affects WordPress PPWP Plugin versions 1.9.19 and below. The immediate step to mitigate this vulnerability is to update the plugin to version 1.9.20 or later, which contains the patch that resolves the issue.

Alternatively, users can seek assistance from their hosting provider or developer to apply the necessary fixes.

If you are a Patchstack user, enabling auto-updates for vulnerable plugins is recommended to ensure timely patching.

Compliance Impact

The vulnerability is an Insecure Direct Object References (IDOR) issue that allows low-privilege users to bypass authorization and access sensitive files, folders, or database interactions.

Such unauthorized access to sensitive data could potentially lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict access controls to protect personal and sensitive information.

Although the CVSS score is low severity (4.3), exploitation in mass campaigns could increase the risk of data exposure, thereby impacting compliance with these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57634. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart