CVE-2026-7523
Received Received - Intake
Authorization Bypass in Alba Board WordPress Plugin

Publication date: 2026-06-05

Last updated on: 2026-06-05

Assigner: Wordfence

Description
The Alba Board plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.1.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to access arbitrary private alba_card post data, including title, description, assignee, due date, tags, and comments, that is intended to be restricted to Administrators and Editors. The handler is registered via the wp_ajax_nopriv_ hook and its nonce is exposed to all site visitors through wp_localize_script on pages containing the [alba_board] shortcode, making this exploitable by unauthenticated users who can access any such page.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-05
Last Modified
2026-06-05
Generated
2026-06-06
AI Q&A
2026-06-06
EPSS Evaluated
N/A
NVD
CVE-2026-7523
EUVD
EUVD-2026-34923
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
alba_board alba_board to 2.1.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The Alba Board plugin for WordPress has an authorization bypass vulnerability in all versions up to and including 2.1.3. This occurs because the plugin does not properly verify whether a user is authorized to perform certain actions. As a result, authenticated users with subscriber-level access or higher can access private alba_card post data that should only be accessible to Administrators and Editors.

Additionally, the vulnerability is more severe because the handler is registered via the wp_ajax_nopriv_ hook and its nonce is exposed to all site visitors through wp_localize_script on pages containing the [alba_board] shortcode. This means unauthenticated users who can access such pages may also exploit this vulnerability.


How can this vulnerability impact me? :

This vulnerability can allow unauthorized users, including unauthenticated visitors, to access private data within the Alba Board plugin. Specifically, sensitive information such as titles, descriptions, assignees, due dates, tags, and comments of alba_card posts intended to be restricted to higher privilege users can be exposed.

Such unauthorized data access can lead to information disclosure, potentially compromising privacy and confidentiality of data managed through the plugin.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability allows unauthorized access to private alba_card post data, including sensitive information such as title, description, assignee, due date, tags, and comments. This unauthorized disclosure of potentially sensitive data could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require proper access controls to protect personal and sensitive information.

Since the plugin fails to properly verify user authorization and exposes data to unauthenticated users, organizations using this plugin may be at risk of violating confidentiality and data protection requirements mandated by these standards.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart