CVE-2026-23547
Published: 19 February 2026
Summary
CVE-2026-23547 is a high-severity Missing Authorization (CWE-862) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2026-23547 is a missing authorization vulnerability (CWE-862) in the CMSMasters Content Composer WordPress plugin (cmsmasters-content-composer). It enables exploiting incorrectly configured access control security levels and affects all versions from n/a through 2.5.8. The issue was published on 2026-02-19 with a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N), indicating high severity due to network accessibility, low complexity, and significant confidentiality impact.
Low-privileged authenticated users (PR:L) can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Successful exploitation allows attackers to achieve high confidentiality impact by accessing sensitive data they should not be authorized for, along with low integrity impact by making limited modifications, but no availability disruption.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/cmsmasters-content-composer/vulnerability/wordpress-cmsmasters-content-composer-plugin-2-5-8-broken-access-control-vulnerability?_s_id=cve documents this broken access control issue in version 2.5.8 of the WordPress plugin.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8352
Vulnerability details
Missing Authorization vulnerability in cmsmasters CMSMasters Content Composer cmsmasters-content-composer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CMSMasters Content Composer: from n/a through <= 2.5.8.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization (CWE-862) in public-facing WordPress plugin directly enables remote exploitation of the application by authenticated users to access unauthorized data.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces approved authorizations for all accesses, which is the exact control missing in the plugin's broken access control logic.
Requires that accounts and processes operate with the minimum privileges needed, preventing low-privileged users from reaching unauthorized data or functions.
Ensures access control decisions are made and enforced consistently by the system rather than relying on incorrectly configured plugin security levels.