PatchSiren cyber security CVE debrief
CVE-2026-42677 Ben Balter CVE debrief
A Missing Authorization vulnerability in the WP Document Revisions WordPress plugin, authored by Ben Balter, allows exploitation of incorrectly configured access control security levels. The vulnerability affects all versions prior to 4.0.0 and is classified as CWE-862 (Missing Authorization). With a CVSS 3.1 score of 7.5 (HIGH), this issue presents a network-attackable vector with low attack complexity, requiring no privileges or user interaction, and can result in high confidentiality impact. The NVD entry currently carries a 'Deferred' status, indicating the record may be awaiting additional analysis or vendor coordination. The vulnerability was disclosed on June 1, 2026, with a subsequent modification to the record approximately 40 minutes later. No known exploitation in ransomware campaigns has been documented, and the issue has not been added to CISA's Known Exploited Vulnerabilities catalog.
- Vendor
- Ben Balter
- Product
- WP Document Revisions
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-01
- Original CVE updated
- 2026-06-01
- Advisory published
- 2026-06-01
- Advisory updated
- 2026-06-01
Who should care
WordPress site administrators using the WP Document Revisions plugin, security teams managing WordPress plugin portfolios, and organizations relying on document revision workflows with access control requirements
Technical summary
The WP Document Revisions plugin for WordPress contains a Missing Authorization vulnerability (CWE-862) in versions prior to 4.0.0. The flaw enables attackers to exploit incorrectly configured access control security levels, potentially allowing unauthorized access to document revisions. The attack vector is network-based with low complexity and requires no authentication or user interaction. The confidentiality impact is rated HIGH, with no direct integrity or availability impact per the CVSS vector. The NVD record status is 'Deferred', suggesting ongoing analysis or vendor coordination.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade WP Document Revisions to version 4.0.0 or later to remediate the missing authorization vulnerability
- Review WordPress plugin inventory for installations of WP Document Revisions below version 4.0.0 and prioritize patching
- Validate access controls on document revision endpoints after patching to confirm unauthorized access is prevented
- Monitor for unauthorized document access attempts in WordPress audit logs pending patch deployment
- Subscribe to vendor or plugin repository security advisories for WP Document Revisions to receive future vulnerability notifications
Evidence notes
The vulnerability is mapped to CWE-862 (Missing Authorization) per the NVD record. The CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N confirms network accessibility with no required privileges or user interaction. The NVD vulnerability status is 'Deferred'. Vendor identification is marked low-confidence and flagged for review due to reliance on reference domain inference from Patchstack rather than explicit vendor attribution in the source record.
Official resources
-
CVE-2026-42677 CVE record
CVE.org
-
CVE-2026-42677 NVD detail
NVD
-
Source item URL
nvd_modified
- Mitigation or vendor reference
The CVE record was published on 2026-06-01 at 17:17:00 UTC and modified at 17:57:16 UTC the same day. The source of vulnerability details is Patchstack, which identified the broken access control issue in WP Document Revisions plugin 3.8.1.