Unauthenticated Broken Access Control in Newsletters Plugin by WordPress
CVE-2026-54840

7.3HIGH

Key Information:

Vendor: WordPress
Status: Newsletters
Vendor: CVE Published:; 26 June 2026

What is CVE-2026-54840?

Recent findings reveal an unauthenticated broken access control vulnerability in the Newsletters plugin for WordPress, specifically affecting versions up to 4.13. This vulnerability allows attackers to access restricted functionalities without proper authentication checks. Users and administrators of the plugin are encouraged to update to the latest version to mitigate potential security risks.

Affected Version(s)

Newsletters <= 4.13

References

https://patchstack.com/database/wordpress/plugin/newslett...

vdb-entry

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 26, 2026
Vulnerability Reserved
Jun 16, 2026

Credit

HieuPenguinnn | Patchstack Bug Bounty Program

CVE-2026-54840 Data

JSON