CVE-2026-9619: CWE-862 Missing Authorization in berfect Reviews and Rating – Docplanner
The Reviews and Rating – Docplanner WordPress plugin up to version 1.1.4 contains an authorization bypass vulnerability. Authenticated users with subscriber-level access or higher can exploit this flaw to perform unauthorized actions, including triggering outbound scraping of external websites and injecting scraped review data into the plugin's database table. Additionally, attackers can send feature-request emails from the site administrator's email address. The vulnerability is classified as CWE-862 (Missing Authorization) and has a CVSS 3.1 base score of 4.3, indicating medium severity.
AI Analysis
Technical Summary
CVE-2026-9619 is an authorization bypass vulnerability in the Reviews and Rating – Docplanner WordPress plugin affecting all versions up to and including 1.1.4. The plugin fails to properly verify user authorization before allowing certain actions. This allows authenticated users with subscriber-level privileges or higher to initiate outbound scraping of external websites and write the scraped review data into the wp_dp_reviews database table. Furthermore, the vulnerability permits sending feature-request emails from the site administrator's email address, potentially enabling abuse of site functionality. No official patch or remediation level has been provided as of the publication date.
Potential Impact
The vulnerability allows authenticated users with low-level privileges to perform unauthorized actions that can affect data integrity by injecting external scraped content into the plugin's database. It also enables sending emails from the administrator's address, which could be used for phishing or social engineering attacks. There is no direct impact on confidentiality or availability reported. The overall impact is limited to integrity and potential abuse of site functionality.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict subscriber-level user permissions where possible and monitor for unusual outbound requests or unexpected database changes related to the wp_dp_reviews table. Avoid granting unnecessary privileges to low-level users to reduce exploitation risk.
CVE-2026-9619: CWE-862 Missing Authorization in berfect Reviews and Rating – Docplanner
Description
The Reviews and Rating – Docplanner WordPress plugin up to version 1.1.4 contains an authorization bypass vulnerability. Authenticated users with subscriber-level access or higher can exploit this flaw to perform unauthorized actions, including triggering outbound scraping of external websites and injecting scraped review data into the plugin's database table. Additionally, attackers can send feature-request emails from the site administrator's email address. The vulnerability is classified as CWE-862 (Missing Authorization) and has a CVSS 3.1 base score of 4.3, indicating medium severity.
CVSS v3.1
Score 4.3medium
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-9619 is an authorization bypass vulnerability in the Reviews and Rating – Docplanner WordPress plugin affecting all versions up to and including 1.1.4. The plugin fails to properly verify user authorization before allowing certain actions. This allows authenticated users with subscriber-level privileges or higher to initiate outbound scraping of external websites and write the scraped review data into the wp_dp_reviews database table. Furthermore, the vulnerability permits sending feature-request emails from the site administrator's email address, potentially enabling abuse of site functionality. No official patch or remediation level has been provided as of the publication date.
Potential Impact
The vulnerability allows authenticated users with low-level privileges to perform unauthorized actions that can affect data integrity by injecting external scraped content into the plugin's database. It also enables sending emails from the administrator's address, which could be used for phishing or social engineering attacks. There is no direct impact on confidentiality or availability reported. The overall impact is limited to integrity and potential abuse of site functionality.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict subscriber-level user permissions where possible and monitor for unusual outbound requests or unexpected database changes related to the wp_dp_reviews table. Avoid granting unnecessary privileges to low-level users to reduce exploitation risk.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-05-26T16:40:59.190Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a3b7813eed863c81e5f7338
Added to database: 06/24/2026, 06:24:19 UTC
Last enriched: 06/24/2026, 06:40:33 UTC
Last updated: 06/24/2026, 07:34:59 UTC
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.