What the vulnerability does
01Description
Missing Authorization vulnerability in Xylus Themes WP Bulk Delete wp-bulk-delete allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Bulk Delete: from n/a through <= 1.3.6.
Explanation of Vulnerability in Simple Terms
02Summary
WP Bulk Delete through version 1.3.6 does not properly check user permissions before allowing certain actions. A logged-in user with low privileges can read sensitive information they should not have access to. The vulnerability requires an active WordPress account but no special interaction from the victim.
What an attacker can do
03Attacker Capabilities
Read sensitive information they should not have access to as a low-privilege user.
Potential impact on your site
04Site Impact
Low-privilege users (subscribers, contributors) can access confidential data they should not see.
Conditions required to exploit
05Prerequisites
Attacker must have a valid WordPress user account with low privileges.
Key dates
06Disclosure timeline
August 27, 2025
CVE published
May 12, 2026
Record updated