CVE-2023-26002
BaseFortify
Publication date: 2025-06-06
Last updated on: 2026-04-28
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2023-26002 is a broken access control vulnerability in the WordPress 6Storage Rentals plugin (up to version 2.19.5). It occurs due to missing authorization, authentication, or nonce token checks in certain functions, which allows users with low privileges (Subscriber level) to perform actions that should be restricted to higher-privileged roles. This vulnerability falls under the OWASP Top 10 category A1: Broken Access Control. [1]
How can this vulnerability impact me? :
This vulnerability can allow unprivileged users to perform unauthorized actions within the 6Storage Rentals plugin, potentially leading to unauthorized changes or misuse of the system. Although it has a low severity score (4.3) and is considered unlikely to be exploited, if exploited, it could compromise the integrity of the affected WordPress site. There is currently no official patch, but virtual patching is available as a mitigation. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking for unauthorized access attempts or actions performed by users with Subscriber-level privileges that should be restricted. Since the vulnerability is due to missing authorization checks in the 6Storage Rentals plugin, monitoring logs for unexpected privilege escalations or unauthorized actions is recommended. However, plugin-based malware scanners may be unreliable for detecting exploitation. No specific commands are provided in the available resources. Seeking professional incident response or assistance from your hosting provider is advised for thorough detection. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying virtual patching (vPatching) offered by Patchstack, which provides automatic protection even without an official patch. Additionally, restricting Subscriber-level user capabilities and monitoring for suspicious activity can help reduce risk. Consulting with professional incident response teams or your hosting provider is recommended if compromise is suspected. Since no official fix is available, these measures are critical to protect your system. [1]