CVE-2026-24996
Missing Authorization in WPElemento Importer Allows Unauthorized Access
Publication date: 2026-02-03
Last updated on: 2026-02-03
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wpelemento | wpelemento_importer | From 0.0.0 (inc) to 0.6.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of the CVE-2026-24996 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-24996 is a Broken Access Control vulnerability in the WordPress WPElemento Importer Plugin versions up to and including 0.6.4.
The issue arises from missing authorization, authentication, or nonce token checks within certain plugin functions, which allows unprivileged users to perform actions that should be restricted to higher-privileged roles.
This vulnerability falls under the OWASP Top 10 category A1: Broken Access Control.
How can this vulnerability impact me? :
This vulnerability allows users with only subscriber-level privileges to exploit the plugin and perform actions reserved for higher-privileged roles.
However, the impact is considered low severity with a CVSS score of 4.3, and exploitation is unlikely.
Users of the affected plugin versions are advised to update to version 0.6.5 or later to mitigate this risk.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability is related to missing authorization checks in the WPElemento Importer WordPress plugin versions up to 0.6.4. Detection involves identifying if the vulnerable plugin version is installed and if unauthorized users can access privileged plugin functions.'}, {'type': 'paragraph', 'content': 'To detect the vulnerability on your system, you can check the installed version of the WPElemento Importer plugin. For example, on a WordPress installation, you can run commands to list plugin versions or inspect plugin files.'}, {'type': 'list_item', 'content': 'Use WP-CLI to check the plugin version: `wp plugin list --format=json | jq \'.[] | select(.name=="wpelemento-importer")\'`'}, {'type': 'list_item', 'content': "Manually check the plugin version in the plugin's main PHP file header or the plugin directory."}, {'type': 'paragraph', 'content': 'Additionally, monitoring access logs for unauthorized attempts to invoke plugin functions or unusual activity from subscriber-level accounts may help detect exploitation attempts.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The primary mitigation step is to update the WPElemento Importer plugin to version 0.6.5 or later, where the vulnerability has been fixed.'}, {'type': 'paragraph', 'content': "If immediate updating is not possible, consider restricting access to the plugin's functions by adjusting user roles and permissions to prevent subscriber-level users from accessing sensitive plugin features."}, {'type': 'paragraph', 'content': 'Enabling automatic updates for plugins can also help ensure that vulnerabilities are patched promptly.'}] [1]