{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24376", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-22T14:42:40.516Z", "datePublished": "2026-03-25T16:14:32.352Z", "dateUpdated": "2026-03-26T16:50:47.039Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "wpvulnerability", "product": "WPVulnerability", "vendor": "Javier Casares", "versions": [{"changes": [{"at": "4.2.1.1", "status": "unaffected"}], "lessThanOrEqual": "<= 4.2.1", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:13.270Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Javier Casares WPVulnerability wpvulnerability allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects WPVulnerability: from n/a through <= 4.2.1.</p>"}], "value": "Missing Authorization vulnerability in Javier Casares WPVulnerability wpvulnerability allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPVulnerability: from n/a through <= 4.2.1."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:32.352Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/wpvulnerability/vulnerability/wordpress-wpvulnerability-plugin-4-2-1-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress WPVulnerability plugin <= 4.2.1 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-24376", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T16:44:58.068942Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T16:50:47.039Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-24376", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T16:44:58.068942Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T16:32:32.639Z"}}], "cna": {"title": "WordPress WPVulnerability plugin <= 4.2.1 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "affected": [{"vendor": "Javier Casares", "product": "WPVulnerability", "versions": [{"status": "affected", "changes": [{"at": "4.2.1.1", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "<= 4.2.1"}], "packageName": "wpvulnerability", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-03-25T17:12:13.270Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/wpvulnerability/vulnerability/wordpress-wpvulnerability-plugin-4-2-1-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Javier Casares WPVulnerability wpvulnerability allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPVulnerability: from n/a through <= 4.2.1.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in Javier Casares WPVulnerability wpvulnerability allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects WPVulnerability: from n/a through <= 4.2.1.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:32.352Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24376", "state": "PUBLISHED", "dateUpdated": "2026-03-26T16:50:47.039Z", "dateReserved": "2026-01-22T14:42:40.516Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:14:32.352Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Javier Casares WPVulnerability wpvulnerability allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPVulnerability: from n/a through <= 4.2.1."}, {"lang": "es", "value": "Vulnerabilidad por falta de autorizaci\u00f3n en Javier Casares WPVulnerability wpvulnerability permite la explotaci\u00f3n de niveles de seguridad de control de acceso mal configurados. Este problema afecta a WPVulnerability: desde n/a hasta &lt;= 4.2.1."}], "id": "CVE-2026-24376", "lastModified": "2026-03-26T17:16:28.617", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:16:37.930", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/wpvulnerability/vulnerability/wordpress-wpvulnerability-plugin-4-2-1-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.2.1]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "4.2.1.1"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "WPVulnerability", "source": "cna", "vendor": "Javier Casares"}, "product": "wpvulnerability", "vendor": "javier_casares"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-25T17:43:17.273280+00:00", "value": {"mitigation_remediation": ["Upgrade the WPVulnerability plugin to the latest version (4.2.2 or newer) to eliminate the missing authorization flaw.", "If an upgrade is not available, deactivate or remove the plugin from the WordPress installation to prevent exploitation.", "After updating, review WordPress user roles and capabilities to ensure that access controls are correctly configured."], "summary": {"action": "Patch Immediately", "impact": "Unauthorized access due to missing authorization controls"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all releases of the WPVulnerability plugin from its initial version through 4.2.1, authored by Javier Casares. Site owners using any of these versions are exposed; upgrading beyond 4.2.1 removes the flaw.", "description_and_impact": "The WPVulnerability WordPress plugin contains a missing authorization flaw that allows users to bypass configured access control levels. Because the plugin does not verify appropriate privileges before permitting sensitive actions, an attacker can gain elevated access within the WordPress admin interface. This weakness corresponds to the Common Weakness Enumeration identifier CWE-862.", "risk_and_exploitability": "The CVSS score is not provided, indicating that the precise severity is unclear, but the lack of an authorization check typically yields a high impact on confidentiality and integrity. Exploit probability data is unavailable, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog, yet attackers could still target the plugin via the web interface. Immediate remediation through patching is advised, with temporary mitigation including disabling the plugin."}}}}, "created": "2026-03-25T21:34:45.868515+00:00", "updated": "2026-03-26T11:40:00.160440+00:00", "vendors": ["javier_casares", "javier_casares$PRODUCT$wpvulnerability", "wordpress", "wordpress$PRODUCT$wordpress"]}