Attack Vectors

The Bakery Autoresponder Addon plugin (product slug: vc-autoresponder-addon) has a missing authorization (capability) check in versions up to and including 1.0.6. With a Medium severity rating (CVSS 5.3), this issue can allow an unauthenticated attacker to trigger an unauthorized action without needing a login.

From a business-risk perspective, the most important takeaway is that the attack does not require user interaction or credentials. That lowers the barrier for opportunistic scanning and exploitation against any public-facing WordPress site running the affected plugin version.

Security Weakness

This vulnerability (CVE-2026-27362) is caused by a missing capability check on a plugin function. In practical terms, the plugin does not consistently verify whether a request is coming from a properly authorized WordPress user before allowing certain actions.

Because the authorization check is missing, normal access controls that business leaders expect—such as “only admins can change settings”—may not apply for the affected function. Even if the impact is limited to integrity changes (as indicated by the CVSS vector), the weakness still represents a governance and control failure that can undermine trust in site operations.

Technical or Business Impacts

Medium severity does not mean “low priority” for marketing-led websites that rely on uptime, brand reputation, and data accuracy. Unauthorized actions can translate into operational disruption, misconfiguration, and avoidable incident response costs.

Potential business impacts include altered site behavior that affects campaign performance (e.g., changes that break lead capture workflows), increased time spent by marketing and web teams investigating anomalies, and reputational risk if site content or customer-facing behaviors appear unreliable.

There is currently no known patch available. For many organizations, the lowest-risk option is to uninstall the affected vc-autoresponder-addon plugin (Bakery Autoresponder Addon) and replace it with a vetted alternative. If removal is not immediately possible, leadership should treat continued use as a risk acceptance decision and ensure compensating controls are in place consistent with organizational risk tolerance.

Reference: CVE-2026-27362 and Wordfence vulnerability advisory.

Similar Attacks

Missing authorization and access-control weaknesses are a recurring driver of real-world WordPress compromises. Similar patterns have been seen in widely used plugins, including:

CVE-2021-24340 (Jupiter X Core) — an example of an access control issue that could allow unauthorized actions.

CVE-2021-39320 (WP HTTP API Log) — another case demonstrating how insufficient access controls can expose sensitive functionality to unintended users.