CVE-2026-24376
Missing Authorization in WPVulnerability Plugin Allows Unauthorized Access
Publication date: 2026-03-25
Last updated on: 2026-04-28
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| javier_casares | wpvulnerability | to 4.2.1 (inc) |
| patchstack | wpvulnerability | to 4.2.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-24376 is a medium severity Broken Access Control vulnerability in the WordPress WPVulnerability Plugin versions up to and including 4.2.1.
The issue arises from missing authorization, authentication, or nonce token checks in certain plugin functions, which allows unprivileged users (such as subscribers) to perform actions that should be restricted to higher privileged roles (like developers).
This vulnerability is classified under the OWASP Top 10 category A1: Broken Access Control and has a CVSS score of 6.5, indicating a moderate risk.
How can this vulnerability impact me? :
Exploitation of this vulnerability could allow attackers to perform unauthorized actions on affected WordPress sites, potentially compromising site integrity and security.
Attackers could leverage this flaw to conduct mass-exploit campaigns targeting thousands of WordPress sites regardless of their traffic or popularity.
This could lead to unauthorized changes, data manipulation, or other malicious activities that normally require higher privileges.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability arises from missing authorization checks in the WPVulnerability plugin, allowing unprivileged users to perform restricted actions. Detection involves monitoring for unauthorized access attempts or unusual activity from low-privileged accounts.
While specific commands are not provided, you can detect exploitation attempts by checking web server logs for suspicious requests targeting WPVulnerability plugin endpoints or by using security tools that monitor for broken access control patterns.
Additionally, applying Patchstackβs automatic mitigation rules or security services can help detect and block attacks targeting this vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the WPVulnerability plugin to version 4.2.1.1 or later, where the vulnerability has been patched.
Until the update can be applied, users are advised to implement Patchstackβs automatic mitigation rule that blocks attacks targeting this vulnerability.
Users should also consider leveraging Patchstackβs security services or consult their hosting provider or web developer for assistance in applying these mitigations.
Enabling auto-update features for vulnerable plugins can ensure rapid protection against this and similar vulnerabilities.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability is a Broken Access Control issue that allows unprivileged users to perform actions reserved for higher privileged roles. Such unauthorized access can lead to exposure or manipulation of sensitive data.
While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, vulnerabilities that enable unauthorized access generally pose risks to data confidentiality and integrity, which are critical requirements under these regulations.
Therefore, exploitation of this vulnerability could potentially lead to non-compliance with data protection regulations by allowing unauthorized data access or modification.