CVE-2026-24633
BaseFortify
Publication date: 2026-01-23
Last updated on: 2026-04-28
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| passionate_brains | add_expires_headers_&_optimized_minify | to 3.1.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Broken Access Control issue in the WordPress plugin "Add Expires Headers & Optimized Minify" up to version 3.1.0. It occurs because of missing authorization, authentication, or nonce token checks in certain functions, which allows unauthenticated users to perform actions that should require higher privileges. [1]
How can this vulnerability impact me? :
The vulnerability allows unauthorized users to perform privileged actions within the plugin, potentially leading to unauthorized changes or access. However, the severity is considered low (CVSS 5.3), and exploitation is unlikely. No official fix is currently available, but mitigation solutions exist. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves checking for unauthorized access attempts or actions on the Add Expires Headers & Optimized Minify plugin, especially functions lacking authorization checks. Since no specific detection commands are provided, monitoring web server logs for suspicious requests targeting this plugin and verifying plugin version (<= 3.1.0) is recommended. For example, on a Linux server, you can use commands like 'grep add-expires-headers /var/log/apache2/access.log' or 'grep add-expires-headers /var/log/nginx/access.log' to find relevant requests. Additionally, verify the plugin version via WordPress admin or by checking the plugin files. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the plugin's functionality by limiting permissions to trusted users only, disabling or uninstalling the plugin if not essential, and monitoring for suspicious activity. Since no official fix or patched version is currently available, applying access control measures at the server or application level is advised. Additionally, keep an eye on Patchstack for updates and mitigation solutions. [1]