CVE-2026-24950
Authorization Bypass in Authorsy Plugin via Access Control Misconfiguration
Publication date: 2026-02-20
Last updated on: 2026-02-20
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| themeplugs | authorsy | to 1.0.6 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-24950 is a high-priority Insecure Direct Object References (IDOR) vulnerability in the WordPress Authorsy plugin versions up to and including 1.0.6.
This vulnerability allows unauthenticated attackers to bypass authorization and authentication controls, enabling them to access sensitive files, folders, or database interactions without proper permissions.
It is classified under the OWASP Top 10 category A1: Broken Access Control and has a CVSS score of 7.5, indicating high severity and a strong likelihood of exploitation.
The issue was reported by researcher NumeX and fixed in version 1.0.7 of the Authorsy plugin.
How can this vulnerability impact me? :
This vulnerability can have serious impacts as it allows attackers without any privileges to bypass access controls and gain unauthorized access to sensitive resources such as files, folders, or database information.
Such unauthorized access can lead to data breaches, exposure of confidential information, and potential manipulation or theft of data.
Because the vulnerability is exploitable without authentication, it poses a significant risk to the security and integrity of websites using the vulnerable Authorsy plugin.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
CVE-2026-24950 is an Insecure Direct Object References (IDOR) vulnerability in the WordPress Authorsy plugin versions up to 1.0.6 that allows unauthorized access without authentication.
Detection typically involves monitoring for unauthorized access attempts to sensitive files, folders, or database interactions related to the Authorsy plugin.
While no specific commands are provided, network or system administrators can look for unusual HTTP requests targeting the Authorsy plugin endpoints, especially those attempting to access resources without proper authorization.
Using web application firewall (WAF) logs or intrusion detection systems (IDS) to identify suspicious access patterns related to the Authorsy plugin may help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The primary mitigation step is to update the Authorsy WordPress plugin to version 1.0.7 or later, where the vulnerability is patched.'}, {'type': 'paragraph', 'content': "Until the update can be applied, it is recommended to use Patchstack's provided mitigation rules that block attacks targeting this vulnerability."}, {'type': 'paragraph', 'content': 'Additionally, enabling automatic updates for the Authorsy plugin can ensure rapid protection against this and future vulnerabilities.'}] [1]