CVE-2026-28104
Missing Authorization in Site Suggest β€1.3.9 Allows Unauthorized Access
Publication date: 2026-03-05
Last updated on: 2026-03-05
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| blurr | site_suggest | to 1.3.9 (inc) |
| aryan_shirani_bid_abadi | site_suggest | to 1.3.9 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-28104 is a Broken Access Control vulnerability in the WordPress Site Suggest Plugin versions up to and including 1.3.9. It occurs due to missing authorization, authentication, or nonce token checks in certain plugin functions.
This flaw allows unauthenticated users to perform actions that should be restricted to higher privileged users, meaning attackers can access or manipulate functionality without proper permissions.
The vulnerability is classified under the OWASP Top 10 category A1: Broken Access Control and has a CVSS score of 6.5, indicating moderate severity.
How can this vulnerability impact me? :
This vulnerability can allow unauthorized users to perform privileged actions on your website using the Site Suggest plugin without proper authentication.
Such unauthorized access can lead to manipulation or misuse of site functionality, potentially compromising the integrity and security of your website.
Since the exploit requires no authentication, it increases the risk of exploitation by attackers, which could result in data exposure or unauthorized changes.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability arises from missing authorization checks in the Site Suggest WordPress plugin, allowing unauthenticated users to perform privileged actions.
While no specific detection commands are provided, monitoring for unusual or unauthorized access attempts to the Site Suggest plugin endpoints could help identify exploitation attempts.
Applying web server or application firewall logs to detect requests targeting the Site Suggest plugin functions without proper authentication may be useful.
What immediate steps should I take to mitigate this vulnerability?
Since no official patch is currently available for this vulnerability, immediate mitigation involves applying the Patchstack mitigation rule designed to block attacks targeting this flaw.
Users are advised to implement this mitigation promptly to protect their websites from exploitation.
Additionally, monitoring and restricting unauthenticated access to the Site Suggest plugin functions can reduce risk.