CVE-2026-24996
Unknown Unknown - Not Provided
Missing Authorization in WPElemento Importer Allows Unauthorized Access

Publication date: 2026-02-03

Last updated on: 2026-02-03

Assigner: Patchstack

Description
Missing Authorization vulnerability in wpelemento WPElemento Importer wpelemento-importer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPElemento Importer: from n/a through <= 0.6.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-03
Last Modified
2026-02-03
Generated
2026-06-16
AI Q&A
2026-02-04
EPSS Evaluated
2026-06-15
NVD
CVE-2026-24996
EUVD
EUVD-2026-5261
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wpelemento wpelemento_importer From 0.0.0 (inc) to 0.6.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of the CVE-2026-24996 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-24996 is a Broken Access Control vulnerability in the WordPress WPElemento Importer Plugin versions up to and including 0.6.4.

The issue arises from missing authorization, authentication, or nonce token checks within certain plugin functions, which allows unprivileged users to perform actions that should be restricted to higher-privileged roles.

This vulnerability falls under the OWASP Top 10 category A1: Broken Access Control.

Impact Analysis

This vulnerability allows users with only subscriber-level privileges to exploit the plugin and perform actions reserved for higher-privileged roles.

However, the impact is considered low severity with a CVSS score of 4.3, and exploitation is unlikely.

Users of the affected plugin versions are advised to update to version 0.6.5 or later to mitigate this risk.

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability is related to missing authorization checks in the WPElemento Importer WordPress plugin versions up to 0.6.4. Detection involves identifying if the vulnerable plugin version is installed and if unauthorized users can access privileged plugin functions.'}, {'type': 'paragraph', 'content': 'To detect the vulnerability on your system, you can check the installed version of the WPElemento Importer plugin. For example, on a WordPress installation, you can run commands to list plugin versions or inspect plugin files.'}, {'type': 'list_item', 'content': 'Use WP-CLI to check the plugin version: `wp plugin list --format=json | jq \'.[] | select(.name=="wpelemento-importer")\'`'}, {'type': 'list_item', 'content': "Manually check the plugin version in the plugin's main PHP file header or the plugin directory."}, {'type': 'paragraph', 'content': 'Additionally, monitoring access logs for unauthorized attempts to invoke plugin functions or unusual activity from subscriber-level accounts may help detect exploitation attempts.'}] [1]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The primary mitigation step is to update the WPElemento Importer plugin to version 0.6.5 or later, where the vulnerability has been fixed.'}, {'type': 'paragraph', 'content': "If immediate updating is not possible, consider restricting access to the plugin's functions by adjusting user roles and permissions to prevent subscriber-level users from accessing sensitive plugin features."}, {'type': 'paragraph', 'content': 'Enabling automatic updates for plugins can also help ensure that vulnerabilities are patched promptly.'}] [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24996. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart