{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39477", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:42:07.235Z", "datePublished": "2026-04-08T08:30:09.658Z", "dateUpdated": "2026-04-08T08:30:09.658Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "cartflows", "product": "CartFlows", "vendor": "Brainstorm Force", "versions": [{"changes": [{"at": "2.2.4", "status": "unaffected"}], "lessThanOrEqual": "2.2.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:57.438Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Brainstorm Force CartFlows cartflows allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects CartFlows: from n/a through <= 2.2.3.</p>"}], "value": "Missing Authorization vulnerability in Brainstorm Force CartFlows cartflows allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CartFlows: from n/a through <= 2.2.3."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:09.658Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/cartflows/vulnerability/wordpress-cartflows-plugin-2-2-3-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress CartFlows plugin <= 2.2.3 - Broken Access Control vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Brainstorm Force CartFlows cartflows allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CartFlows: from n/a through <= 2.2.3."}], "id": "CVE-2026-39477", "lastModified": "2026-04-08T21:26:35.910", "metrics": {}, "published": "2026-04-08T09:16:22.527", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/cartflows/vulnerability/wordpress-cartflows-plugin-2-2-3-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.2.3]"}}], "enrichment": {"confidence": 98.0, "confidence_source": "matching", "scores": [{"score": 98.0, "source": "matching"}]}, "original": {"product": "CartFlows", "source": "cna", "vendor": "Brainstorm Force"}, "product": "cartflows", "vendor": "brainstormforce"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T10:18:58.207504+00:00", "value": {"mitigation_remediation": ["Upgrade the CartFlows plugin to a version newer than 2.2.3", "Verify that the upgrade resolves the missing authorization issue by testing access restrictions", "If an upgrade is not feasible, disable or remove the CartFlows plugin from the WordPress site", "Continuously monitor WordPress logs for unusual activity that may indicate abuse of the exposed access controls"], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Access"}, "threat_synthesis": {"affected_systems": "Any WordPress site that has installed Brainstorm Force CartFlows plugin version 2.2.3 or earlier is affected. The vulnerability applies to all installations regardless of other security measures, as the flaw is solely within the plugin\u2019s internal access checks.", "description_and_impact": "The vulnerability is a missing authorization flaw in the CartFlows WordPress plugin version 2.2.3 or earlier. This broken access control, identified as CWE\u2011862, allows an attacker to reach functions or data that should be protected by role checks. The immediate consequence is that an unauthenticated or low\u2011privileged user could read, modify, or delete marketing funnel configurations, potentially compromising the website\u2019s content and business logic.", "risk_and_exploitability": "The flaw has no known CVSS, EPSS, or KEV score, but the CVE record indicates it is not listed in the CISA KEV catalog and EPSS data is unavailable. Based on the description, the likely attack vector is remote exploitation by sending crafted HTTP requests to the plugin\u2019s exposed endpoints. An attacker could bypass intended role restrictions, potentially escalating privileges or manipulating site content without authentication. While no public exploit is reported, the straightforward nature of the missing authorization makes it a high\u2011risk issue for exposed WordPress sites."}}}}, "created": "2026-04-08T19:30:49.756244+00:00", "updated": "2026-04-08T19:43:18.588641+00:00", "vendors": ["brainstormforce", "brainstormforce$PRODUCT$cartflows", "wordpress", "wordpress$PRODUCT$wordpress"]}