CVE-2026-7523
Deferred Deferred - Pending Action
Authorization Bypass in Alba Board WordPress Plugin

Publication date: 2026-06-05

Last updated on: 2026-06-08

Assigner: Wordfence

Description
The Alba Board plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.1.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to access arbitrary private alba_card post data, including title, description, assignee, due date, tags, and comments, that is intended to be restricted to Administrators and Editors. The handler is registered via the wp_ajax_nopriv_ hook and its nonce is exposed to all site visitors through wp_localize_script on pages containing the [alba_board] shortcode, making this exploitable by unauthenticated users who can access any such page.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-05
Last Modified
2026-06-08
Generated
2026-06-27
AI Q&A
2026-06-06
EPSS Evaluated
2026-06-25
NVD
CVE-2026-7523
EUVD
EUVD-2026-34923
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
alba_board alba_board to 2.1.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Alba Board plugin for WordPress has an authorization bypass vulnerability in all versions up to and including 2.1.3. This occurs because the plugin does not properly verify whether a user is authorized to perform certain actions. As a result, authenticated users with subscriber-level access or higher can access private alba_card post data that should only be accessible to Administrators and Editors.

Additionally, the vulnerability is more severe because the handler is registered via the wp_ajax_nopriv_ hook and its nonce is exposed to all site visitors through wp_localize_script on pages containing the [alba_board] shortcode. This means unauthenticated users who can access such pages may also exploit this vulnerability.

Impact Analysis

This vulnerability can allow unauthorized users, including unauthenticated visitors, to access private data within the Alba Board plugin. Specifically, sensitive information such as titles, descriptions, assignees, due dates, tags, and comments of alba_card posts intended to be restricted to higher privilege users can be exposed.

Such unauthorized data access can lead to information disclosure, potentially compromising privacy and confidentiality of data managed through the plugin.

Compliance Impact

The vulnerability allows unauthorized access to private alba_card post data, including sensitive information such as title, description, assignee, due date, tags, and comments. This unauthorized disclosure of potentially sensitive data could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require proper access controls to protect personal and sensitive information.

Since the plugin fails to properly verify user authorization and exposes data to unauthenticated users, organizations using this plugin may be at risk of violating confidentiality and data protection requirements mandated by these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7523. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart