How is CVE-2026-39503 exploited?

Network reachability (required): The attacker must be able to reach the WordPress site over the network; no physical or local access is needed. Authentication (not-required): No account or session credentials are needed; the vulnerable endpoint is accessible to any unauthenticated visitor. Victim interaction (not-required): No user action such as clicking a link or opening a file is required for the attack to succeed. Attack complexity (info): The exploit is reliable and condition-free; no race conditions, memory layout assumptions, or special environmental factors need to be satisfied.

What is the impact of CVE-2026-39503?

An attacker can invoke restricted plugin functionality or modify data that should require authentication or elevated privilege. Integrity of digital product records, download limits, payment data, or order management settings may be altered without authorization. No direct confidentiality exposure is indicated by the CVSS vector; customer data disclosure is not the primary impact of this vulnerability. Service availability is not impacted; the site and plugin remain operational following exploitation.

Back to search

HIGHCVE-2026-39503Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-39503: WordPress Easy Digital Downloads plugin <= 3.6.5 - Broken Access Control vulnerability

Q: What is CVE-2026-39503?

A broken access control vulnerability affects the Easy Digital Downloads WordPress plugin at version 3.6.5 and below. The flaw is reachable over the network with no authentication required, meaning any remote visitor can reach the vulnerable endpoint without logging in. Successful exploitation allows an attacker to make unauthorized changes to data or functionality that should be restricted to privileged users. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment the upstream fix is published.

Q: Is CVE-2026-39503 patched?

No fix version has been published by Awesomemotive for this vulnerability. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention.

Unauthenticated Broken Access Control in Easy Digital Downloads <= 3.6.5 versions.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A broken access control vulnerability affects the Easy Digital Downloads WordPress plugin at version 3.6.5 and below. The flaw is reachable over the network with no authentication required, meaning any remote visitor can reach the vulnerable endpoint without logging in. Successful exploitation allows an attacker to make unauthorized changes to data or functionality that should be restricted to privileged users. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment the upstream fix is published.

HarborGuard Coverage

Detection

Detection for CVE-2026-39503 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds including Patchstack, NVD, and vendor advisories. Coverage extends to custom-built images that bundle the Easy Digital Downloads plugin alongside WordPress, not only images pulled from public registries.

Available

Triage

CVE-2026-39503 carries a CVSS v3.1 score of 7.5 (HIGH), and HarborGuard surfaces that score alongside per-environment compliance policy weighting to help teams prioritize against their own risk thresholds. Findings are routed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available

Patch

No fix version has been published by Awesomemotive for this vulnerability. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must be able to reach the WordPress site over the network; no physical or local access is needed.
AuthenticationNot required
No account or session credentials are needed; the vulnerable endpoint is accessible to any unauthenticated visitor.
Victim interactionNot required
No user action such as clicking a link or opening a file is required for the attack to succeed.
Attack complexityDetail
The exploit is reliable and condition-free; no race conditions, memory layout assumptions, or special environmental factors need to be satisfied.

Blast Radius

An attacker can invoke restricted plugin functionality or modify data that should require authentication or elevated privilege.
Integrity of digital product records, download limits, payment data, or order management settings may be altered without authorization.
No direct confidentiality exposure is indicated by the CVSS vector; customer data disclosure is not the primary impact of this vulnerability.
Service availability is not impacted; the site and plugin remain operational following exploitation.

How HarborGuard Handles This

Available on HarborGuard: detection for this vulnerability is matched against all customer images on every pipeline run, including custom WordPress images that bundle Easy Digital Downloads. Because no upstream fix exists as of the publication date, HarborGuard monitors the Patchstack and NVD advisory feeds continuously and re-evaluates affected images on each ingest cycle. The moment Awesomemotive publishes a patched release, a rebuilt image at the fix version becomes available; for customers with auto-remediation enabled, this triggers a rebuild, a regression test run, and a PR opened against affected workloads automatically. In the interim, compensating controls worth considering include web-application firewall rules that block unauthenticated requests to the vulnerable plugin endpoints, network-policy isolation that restricts external traffic to known trusted sources, and disabling the affected plugin functionality via feature flag or configuration if the workflow is not actively needed.

See how HarborGuard automates this

Affected packages

Awesomemotive / Easy Digital Downloads
≤ 3.6.5

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References

patchstack.com

Metrics

Get notified