CVE-2026-27362 identifies a missing authorization vulnerability in the WP Bakery Autoresponder Addon (vc-autoresponder-addon) developed by kamleshyadav, affecting all versions up to and including 1.0.6. The vulnerability stems from improperly configured access control mechanisms within the plugin, which fails to adequately verify whether a user has the necessary permissions before allowing certain actions. This misconfiguration can be exploited by attackers to perform unauthorized operations, potentially including sending unauthorized autoresponder messages, modifying plugin settings, or accessing sensitive data managed by the addon. The WP Bakery Autoresponder Addon is a WordPress plugin that integrates autoresponder functionality into WP Bakery Page Builder, widely used for creating and managing website content. Although no public exploits have been reported yet, the vulnerability’s presence in a popular plugin makes it a significant risk. The lack of a CVSS score means severity must be assessed based on impact and exploitability factors. Given that the flaw allows bypassing authorization controls without requiring user interaction or authentication, the risk of unauthorized access is elevated. The vulnerability affects the confidentiality and integrity of the affected systems, as attackers could manipulate autoresponder functions or access restricted data. The scope is limited to sites using this specific addon, but given WordPress’s global market share, the potential reach is broad. The vulnerability was published in early March 2026, with no patches currently linked, indicating that users must rely on interim mitigations until an official fix is released.

The missing authorization vulnerability in the WP Bakery Autoresponder Addon can have several adverse impacts on organizations worldwide. Unauthorized users could exploit the flaw to send unauthorized autoresponder emails, potentially leading to phishing campaigns, spam distribution, or reputational damage. Attackers might also alter autoresponder settings or access sensitive information managed by the plugin, compromising data confidentiality and integrity. For organizations relying on WP Bakery for content management, this could disrupt marketing communications and customer engagement workflows. Additionally, unauthorized access could be leveraged as a foothold for further attacks within the WordPress environment, including privilege escalation or data exfiltration. The impact is particularly critical for e-commerce sites, media outlets, and businesses that depend heavily on automated email responses for customer interaction. Although no known exploits are in the wild, the vulnerability’s existence increases the attack surface and risk profile of affected sites. The absence of a patch increases the window of exposure, making timely mitigation essential to reduce potential damage.

To mitigate CVE-2026-27362 effectively, organizations should implement the following specific measures: 1) Immediately restrict access to the WP Bakery Autoresponder Addon’s administrative and API endpoints by limiting them to trusted IP addresses or authenticated users only, using web application firewalls or server-level access controls. 2) Monitor logs for unusual or unauthorized activity related to the plugin, such as unexpected autoresponder triggers or configuration changes. 3) Disable or uninstall the WP Bakery Autoresponder Addon if it is not essential to reduce the attack surface. 4) Engage with the plugin developer or vendor to obtain patches or updates as soon as they become available, and prioritize their deployment. 5) Implement role-based access control (RBAC) within WordPress to ensure only authorized personnel can manage or interact with the plugin. 6) Conduct regular security audits and vulnerability scans focusing on WordPress plugins and their configurations. 7) Educate site administrators about the risks of unauthorized access and the importance of timely updates. These steps go beyond generic advice by focusing on access restriction, monitoring, and proactive plugin management tailored to this specific vulnerability.