Executive Summary

CVE-2026-24366 is a Broken Access Control vulnerability in the YITH WooCommerce Request A Quote WordPress plugin (up to version 2.46.0). It occurs due to missing authorization, authentication, or nonce token checks in certain functions, allowing unauthenticated users to perform actions that should require higher privileges. [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows unauthenticated users to perform privileged actions, potentially leading to unauthorized access or manipulation within the affected plugin. However, it has a low severity impact with a CVSS score of 5.3, indicating a low priority for exploitation. [1]

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves checking the version of the YITH WooCommerce Request A Quote plugin installed on your WordPress site. You can detect the vulnerable plugin version by running commands to list installed plugins and their versions, such as 'wp plugin list' using WP-CLI. Additionally, monitoring for unauthorized access attempts or unusual activity related to the plugin's functions may help identify exploitation attempts. Specific commands to detect missing authorization exploits are not provided in the available resources. [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to update the YITH WooCommerce Request A Quote plugin to version 2.46.1 or later, where the vulnerability is fixed. Applying this update will restore proper authorization checks and prevent unauthenticated users from exploiting the broken access control. Using automated update tools like Patchstack can also help rapidly apply this and other security patches. [1]

Useful 0 Not Useful 0