{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39614", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:57:27.974Z", "datePublished": "2026-04-08T08:30:24.340Z", "dateUpdated": "2026-04-08T08:30:24.340Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "jw-player-7-for-wp", "product": "JW Player for WordPress", "vendor": "ilGhera", "versions": [{"lessThanOrEqual": "2.3.6", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:37.297Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in ilGhera JW Player for WordPress jw-player-7-for-wp allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects JW Player for WordPress: from n/a through <= 2.3.6.</p>"}], "value": "Missing Authorization vulnerability in ilGhera JW Player for WordPress jw-player-7-for-wp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JW Player for WordPress: from n/a through <= 2.3.6."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:24.340Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/jw-player-7-for-wp/vulnerability/wordpress-jw-player-for-wordpress-plugin-2-3-6-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress JW Player for WordPress plugin <= 2.3.6 - Broken Access Control vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in ilGhera JW Player for WordPress jw-player-7-for-wp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JW Player for WordPress: from n/a through <= 2.3.6."}], "id": "CVE-2026-39614", "lastModified": "2026-04-08T21:26:35.910", "metrics": {}, "published": "2026-04-08T09:16:31.190", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/jw-player-7-for-wp/vulnerability/wordpress-jw-player-for-wordpress-plugin-2-3-6-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.3.6]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "JW Player for WordPress", "source": "cna", "vendor": "ilGhera"}, "product": "jw_player_for_wordpress", "vendor": "ilghera"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T10:48:42.775329+00:00", "value": {"mitigation_remediation": ["Upgrade JW Player for WordPress to a release newer than 2.3.6", "If an upgrade is not feasible, remove or disable the JW Player plugin from the WordPress installation", "After applying a fix or removal, verify that media access controls function as intended"], "summary": {"action": "Patch", "impact": "Unauthorized access to protected media content"}, "threat_synthesis": {"affected_systems": "The issue affects the JW Player for WordPress plugin released by ilGhera. All publicly available versions up to and including 2.3.6 are vulnerable. Earlier releases are not explicitly listed but are presumed affected unless later versions are known to fix the issue.", "description_and_impact": "A missing authorization flaw in the ilGhera JW Player for WordPress plugin enables users without proper privileges to bypass the plugin's configured access\u2011control settings and view media files that should remain restricted. The weakness is classified as a classic authorization bypass, documented as CWE\u2011862, and can lead to the exposure of confidential audio or video assets. Because the plugin controls media delivery, an attacker could retrieve large amounts of proprietary content or manipulate it, impacting confidentiality and integrity.", "risk_and_exploitability": "Exploitation requires only web access to a WordPress site hosting the affected plugin; an attacker can send requests to the plugin\u2019s media endpoints to retrieve hidden files. The CVE metadata does not provide an official CVSS or EPSS score, but bypassing access control is inherently critical. The vulnerability is not recorded in the CISA KEV catalog. Because no privileges such as authentication are required, the risk remains high for any site with the plugin installed."}}}}, "created": "2026-04-08T19:29:45.971782+00:00", "updated": "2026-04-08T19:42:02.822230+00:00", "vendors": ["ilghera", "ilghera$PRODUCT$jw_player_for_wordpress", "wordpress", "wordpress$PRODUCT$wordpress"]}