CVE-2026-39644
WordPress Wp Ultimate Review plugin <= 2.3.8 - Broken Access Control vulnerabilityMissing Authorization vulnerability in Roxnor Wp Ultimate Review wp-ultimate-review allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Wp Ultimate Review: from n/a through <= 2.3.8.
We have discovered 3,883 live websites that are affected by CVE-2026-39644.
Affected Software
| Product |  Wp Ultimate Review |
| Category | Wordpress Plugins |
| Vulnerable Domains | 3,883 live websites (98% of Wp Ultimate Review install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 15 versions ( 94% of all versions) |
Details
- Published - Apr 8, 2026
- Updated - Apr 9, 2026
Credits
- hhhai | Patchstack Bug Bounty Program (finder)
CVE References
Website Distribution by Country
Number of websites using CVE-2026-39644 United States | 1,161 websites |
 India | 336 websites |
 Germany | 292 websites |
 Cyprus | 225 websites |
 GB | 198 websites |
 Brazil | 176 websites |
 France | 176 websites |
 Italy | 110 websites |
 Canada | 85 websites |
 Netherlands | 77 websites |
Website Distribution by TLD
Number of websites using CVE-2026-39644| .com | 2,019 websites |
| .org | 182 websites |
| .com.br | 162 websites |
| .de | 92 websites |
| .net | 86 websites |
| .co.uk | 83 websites |
| .it | 81 websites |
| .nl | 79 websites |
| .fr | 57 websites |
| .com.au | 51 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2026-39644
Top websites that are affected by CVE-2026-39644. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ********.com | Canada | ***,*** | |
| ************.com | United States | ***,*** | |
| ********.org | United States | ***,*** | |
| ********.rentals | United States | ***,*** | |
| **************.com | United States | ***,*** | |
| *******.******.***.br | Brazil | ***,*** | |
| ****************.it | Italy | ***,*** | |
| *********.com | United States | ***,*** | |
| **********.**.uk | GB | ***,*** | |
| ************.com | United States | ***,*** |
FAQ
A total of 3,883 websites have been identified as vulnerable to CVE-2026-39644, based on global website indexing conducted by WebTechSurvey.
The Wp Ultimate Review is affected by the CVE-2026-39644 vulnerability.
Wp Ultimate Review versions up to and including 2.3.8 are vulnerable to CVE-2026-39644.