CVE-2026-54837
Deferred Deferred - Pending Action

Unauthenticated Broken Access Control in Intranet & Private Site All-In-One

Vulnerability report for CVE-2026-54837, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: Patchstack

Description

Unauthenticated Broken Access Control in Intranet &amp; Private Site &#8211; All-In-One Intranet <= 1.8.1 versions.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-07-16
AI Q&A
2026-06-26
EPSS Evaluated
2026-07-15
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
patchstack all-in-one-intranet to 1.8.1 (inc)
patchstack all-in-one-intranet From 1.9.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability CVE-2026-54837 affects the WordPress plugin "Intranet & Private Site – All-In-One Intranet" version 1.8.1 or earlier. It is a Broken Access Control flaw that allows unauthenticated users to perform actions that normally require higher privileges. This happens because the plugin lacks proper authorization checks, enabling unauthorized access.

Impact Analysis

This vulnerability can have a significant impact as it allows attackers who are not logged in to perform privileged actions. This could lead to unauthorized access to sensitive information or control over parts of the intranet site. The CVSS score of 7.5 indicates a moderate to high risk, with potential for widespread exploitation if not patched.

Compliance Impact

The vulnerability allows unauthenticated users to perform actions requiring higher privileges due to missing authorization checks, which can lead to unauthorized access to sensitive information.

Such unauthorized access could potentially result in non-compliance with data protection regulations like GDPR and HIPAA, which mandate strict access controls to protect personal and sensitive data.

Therefore, if exploited, this vulnerability may compromise the confidentiality of protected data, leading to regulatory violations and associated penalties.

Mitigation Strategies

The vulnerability affects versions 1.8.1 or earlier of the WordPress plugin "Intranet & Private Site – All-In-One Intranet."

To mitigate this vulnerability, users should immediately update the plugin to version 1.9.0 or later.

If updating immediately is not possible, users are advised to seek assistance from their hosting providers or developers.

Enabling auto-updates for the plugin, if available, is also recommended to ensure timely patching.

No virtual patch is available for this vulnerability, so updating is the only effective mitigation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54837. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart