CVE-2026-0674 Patchstack CVE debrief

Who should care

WordPress site owners and administrators running Campaign Monitor for WordPress, especially sites that allow multiple authenticated roles or delegate plugin administration to non-admin users.

Technical summary

The supplied record maps this issue to CWE-862 and rates it CVSS 3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N (4.3). The vulnerability is described as missing authorization / incorrectly configured access-control security levels in the Campaign Monitor for WordPress plugin, with the affected range listed as n/a through 2.9.1. The provided vector indicates no confidentiality or availability impact, but unauthorized state changes or access to restricted plugin functions may be possible.

Defensive priority

Medium. The issue is network-reachable, low-complexity, and requires only low privileges, but the supplied CVSS vector limits the impact to integrity.

Recommended defensive actions

• Inventory all WordPress instances using Campaign Monitor for WordPress and confirm whether any are at or below version 2.9.1.
• Upgrade to a vendor-fixed release newer than 2.9.1 if one is available; if no fix is published, disable or remove the plugin until remediation is confirmed.
• Restrict WordPress roles and review which accounts can access plugin-related pages, settings, or actions.
• Review WordPress and plugin logs for unexpected configuration changes or other unauthorized activity, especially around and after 2026-01-08.
• Track the NVD record and the Patchstack reference for remediation updates and any additional guidance.

Evidence notes

The source corpus contains an official NVD record with VulnStatus=Deferred and a Patchstack reference describing a broken-access-control vulnerability in the Campaign Monitor for WordPress plugin. The supplied data does not include a fixed version, exploit details, or confirmation of real-world exploitation. Vendor attribution confidence is low in the prompt metadata and is marked as needing review.

Official resources