PatchSiren cyber security CVE debrief
CVE-2026-39593 VillaTheme CVE debrief
CVE-2026-39593 describes a missing-authorization flaw in the VillaTheme HAPPY WordPress plugin, affecting versions through 1.0.10. The issue is mapped to broken access control (CWE-862) and scored CVSS 6.5 (medium), with network attack conditions and no user interaction required. Because the source corpus does not provide a confirmed fixed version or a clear vendor ownership record, the safest stance is to treat the issue as a medium-priority access-control weakness requiring review and mitigation on any exposed deployment.
- Vendor
- VillaTheme
- Product
- HAPPY
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-21
- Original CVE updated
- 2026-05-21
- Advisory published
- 2026-05-21
- Advisory updated
- 2026-05-21
Who should care
WordPress site owners and administrators running the HAPPY plugin, especially environments where plugin-facing actions are exposed to unauthenticated users or where access-control checks are relied on for ticketing/support workflows. Security teams responsible for plugin inventory and external attack surface monitoring should also review affected sites.
Technical summary
The published data indicates a missing authorization / broken access control condition in HAPPY through 1.0.10. NVD metadata records the weakness as CWE-862 and the CVSS vector as CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L, which indicates a remotely reachable issue requiring no privileges or user interaction, with limited integrity and availability impact. The NVD record is marked Deferred, and the source corpus includes a Patchstack advisory reference for the plugin.
Defensive priority
Medium. The vulnerability is remotely reachable and requires no authentication, but the scored impact is limited to low integrity and availability. Prioritize faster if the plugin is internet-facing, used in a support/helpdesk workflow, or installed on high-value WordPress sites.
Recommended defensive actions
- Inventory all WordPress sites for the HAPPY plugin and determine whether any instance is at version 1.0.10 or earlier.
- Review the Patchstack advisory and the CVE/NVD records for any vendor guidance or patched release information.
- If a fixed release is available, upgrade to a version newer than 1.0.10 as soon as possible.
- Temporarily restrict or disable exposed plugin functions if you cannot immediately update.
- Audit logs and application behavior for unauthorized actions involving the plugin's access-controlled features.
- Confirm that WordPress administrator and plugin management access is tightly restricted and monitored.
Evidence notes
The source corpus states: "Missing Authorization vulnerability in VillaTheme HAPPY" and that the issue affects HAPPY from n/a through 1.0.10. NVD metadata supplies CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L and weakness CWE-862. The NVD record is marked "Deferred" and includes a Patchstack reference URL. The vendor attribution in the provided corpus is low confidence and needs review, so the product/vendor naming should be treated cautiously.
Official resources
-
CVE-2026-39593 CVE record
CVE.org
-
CVE-2026-39593 NVD detail
NVD
-
Source item URL
nvd_modified
- Mitigation or vendor reference
Published 2026-05-21. The supplied corpus does not include a confirmed fix release or KEV listing. NVD marks the record as Deferred, and vendor attribution in the corpus is low confidence / needs review.