CVE-2026-28104
Received Received - Intake
Missing Authorization in Site Suggest ≀1.3.9 Allows Unauthorized Access

Publication date: 2026-03-05

Last updated on: 2026-03-05

Assigner: Patchstack

Description
Missing Authorization vulnerability in Aryan Shirani Bid Abadi Site Suggest site-suggest allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Site Suggest: from n/a through <= 1.3.9.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-05
Last Modified
2026-03-05
Generated
2026-06-16
AI Q&A
2026-03-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-28104
EUVD
EUVD-2026-9759
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
blurr site_suggest to 1.3.9 (inc)
aryan_shirani_bid_abadi site_suggest to 1.3.9 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-28104 is a Broken Access Control vulnerability in the WordPress Site Suggest Plugin versions up to and including 1.3.9. It occurs due to missing authorization, authentication, or nonce token checks in certain plugin functions.

This flaw allows unauthenticated users to perform actions that should be restricted to higher privileged users, meaning attackers can access or manipulate functionality without proper permissions.

The vulnerability is classified under the OWASP Top 10 category A1: Broken Access Control and has a CVSS score of 6.5, indicating moderate severity.

Impact Analysis

This vulnerability can allow unauthorized users to perform privileged actions on your website using the Site Suggest plugin without proper authentication.

Such unauthorized access can lead to manipulation or misuse of site functionality, potentially compromising the integrity and security of your website.

Since the exploit requires no authentication, it increases the risk of exploitation by attackers, which could result in data exposure or unauthorized changes.

Compliance Impact

I don't know

Detection Guidance

This vulnerability arises from missing authorization checks in the Site Suggest WordPress plugin, allowing unauthenticated users to perform privileged actions.

While no specific detection commands are provided, monitoring for unusual or unauthorized access attempts to the Site Suggest plugin endpoints could help identify exploitation attempts.

Applying web server or application firewall logs to detect requests targeting the Site Suggest plugin functions without proper authentication may be useful.

Mitigation Strategies

Since no official patch is currently available for this vulnerability, immediate mitigation involves applying the Patchstack mitigation rule designed to block attacks targeting this flaw.

Users are advised to implement this mitigation promptly to protect their websites from exploitation.

Additionally, monitoring and restricting unauthenticated access to the Site Suggest plugin functions can reduce risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28104. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart