{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39569", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:48:32.434Z", "datePublished": "2026-04-08T08:30:19.885Z", "dateUpdated": "2026-04-08T08:30:19.885Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "12-step-meeting-list", "product": "12 Step Meeting List", "vendor": "AA Web Servant", "versions": [{"changes": [{"at": "3.19.10", "status": "unaffected"}], "lessThanOrEqual": "3.19.9", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Bao - BlueRock | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:53.460Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in AA Web Servant 12 Step Meeting List 12-step-meeting-list allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects 12 Step Meeting List: from n/a through <= 3.19.9.</p>"}], "value": "Missing Authorization vulnerability in AA Web Servant 12 Step Meeting List 12-step-meeting-list allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects 12 Step Meeting List: from n/a through <= 3.19.9."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:19.885Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/12-step-meeting-list/vulnerability/wordpress-12-step-meeting-list-plugin-3-19-9-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress 12 Step Meeting List plugin <= 3.19.9 - Broken Access Control vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in AA Web Servant 12 Step Meeting List 12-step-meeting-list allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects 12 Step Meeting List: from n/a through <= 3.19.9."}], "id": "CVE-2026-39569", "lastModified": "2026-04-08T21:26:35.910", "metrics": {}, "published": "2026-04-08T09:16:28.083", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/12-step-meeting-list/vulnerability/wordpress-12-step-meeting-list-plugin-3-19-9-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.19.9]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "12 Step Meeting List", "source": "cna", "vendor": "AA Web Servant"}, "product": "12_step_meeting_list", "vendor": "aa_web_servant"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T11:08:28.541846+00:00", "value": {"mitigation_remediation": ["Update the 12 Step Meeting List plugin to the newest version that resolves the access control issue.", "If an update is not yet available, temporarily deactivate the plugin until a fix is released.", "Restrict WordPress roles so that only trusted administrators can access plugin settings and functions.", "Review and tighten overall permission settings to prevent unintended access."], "summary": {"action": "Update Plugin", "impact": "Unauthorized Access to Meeting Information"}, "threat_synthesis": {"affected_systems": "WordPress sites that have the AA Web Servant 12 Step Meeting List plugin installed at version 3.19.9 or earlier are affected. The vulnerability is confined to the plugin and does not affect the core WordPress software.", "description_and_impact": "The reported flaw is a missing authorization check in the AA Web Servant 12 Step Meeting List plugin. The lack of proper access control allows any user who can reach the plugin\u2019s interfaces to read, modify or delete meeting data that should be restricted. This can expose confidential meeting schedules and potentially corrupt stored information.", "risk_and_exploitability": "The weakness is classified as missing authorization (CWE\u2011862). Because the plugin\u2019s pages can be accessed through ordinary HTTP requests, any authenticated or unauthenticated user on a site with the plugin can exploit it if their role allows such access. No CVSS score, EPSS data or CISA KEV listing is available, but the potential impact of unauthorized data disclosure or alteration is significant."}}}}, "created": "2026-04-08T19:30:07.937716+00:00", "updated": "2026-04-08T19:42:27.509592+00:00", "vendors": ["aa_web_servant", "aa_web_servant$PRODUCT$12_step_meeting_list", "wordpress", "wordpress$PRODUCT$wordpress"]}