CVE-2026-24599
BaseFortify
Publication date: 2026-01-23
Last updated on: 2026-01-26
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xlplugins | nextmove_lite | From 2.23.0|end_including=2.23.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-24599 is an Insecure Direct Object References (IDOR) vulnerability in the WordPress NextMove Lite Plugin (versions up to 2.23.0). It allows unauthenticated attackers to bypass authorization and authentication controls due to incorrectly configured access control security levels. This means attackers can potentially access sensitive files, folders, or database interactions without proper permissions. [1]
How can this vulnerability impact me? :
This vulnerability can allow unauthorized users to access sensitive information or perform actions that should be restricted, potentially leading to data exposure or manipulation. However, it is considered low severity with a CVSS score of 5.3 and is unlikely to be exploited. No official fix is currently available. [1]
What immediate steps should I take to mitigate this vulnerability?
Since no official fix or patched version is currently available for this vulnerability, immediate mitigation steps include restricting access to the affected plugin's functionality, monitoring for unauthorized access attempts, and applying strict access control policies to limit exposure. Additionally, consider disabling or removing the NextMove Lite plugin until a patch is released. [1]