HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-39534Published Modified CNA Patchstack

CVE-2026-39534: WordPress WP Directory Kit plugin <= 1.5.0 - Broken Access Control vulnerability

Unauthenticated Broken Access Control in WP Directory Kit <= 1.5.0 versions.

Metrics

CVSS v3.1
7.5
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a broken access control vulnerability in the WP Directory Kit WordPress plugin, affecting all versions up to and including 1.5.0. An unauthenticated attacker can reach it over the network with no login required and no user interaction needed. Successful exploitation allows the attacker to read sensitive data from the affected WordPress site. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment. The CVE is ingested from upstream feeds, including the Patchstack advisory feed, within minutes of publication and matched against customer images in registries, CI/CD pipelines, and custom-built images that bundle the WP Directory Kit plugin.

Available
Triage

HarborGuard scores this CVE at 7.5 HIGH using the published CVSS v3.1 vector and weights the finding against each customer environment's compliance policy. Triage results are routed to the appropriate team inbox within the customer org based on policy configuration.

Available
Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. For customers with auto-remediation enabled, a rebuilt image, regression-test run, and PR against affected workloads will be opened automatically at that point.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable plugin endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via HTTP/HTTPS.

  • AuthenticationNot required

    No account or session credential of any kind is needed to trigger the access control bypass.

  • Victim interactionNot required

    The attack is fully automated and requires no action from any user on the target site.

  • Attack complexityDetail

    Exploit conditions are straightforward and condition-free; no race conditions or special environmental factors are required.

Blast Radius

  • An attacker reads protected content or data from the WordPress site that should be restricted by access controls.
  • Sensitive configuration values, user records, or directory listings stored in the plugin may be exposed to an unauthenticated third party.
  • No integrity or availability impact is indicated; stored data is not modified and service availability is not disrupted.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-39534 at this time, HarborGuard monitors the Patchstack advisory on every ingest cycle and will automatically trigger a patched-image rebuild the moment a fix version is published. For customers with auto-remediation enabled, that rebuild will be followed by a regression-test run and a PR opened against affected workloads. In the meantime, compensating controls to consider include network-policy rules that restrict public access to the affected WordPress endpoints, web application firewall rules targeting the vulnerable plugin routes, and disabling or removing the WP Directory Kit plugin where its functionality is not actively needed.

See how HarborGuard automates this
Affected packages
  • Wp Directory Kit / WP Directory Kit
    ≤ 1.5.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
References