{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24376", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-22T14:42:40.516Z", "datePublished": "2026-03-25T16:14:32.352Z", "dateUpdated": "2026-04-28T16:14:48.339Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "wpvulnerability", "product": "WPVulnerability", "vendor": "Javier Casares", "versions": [{"changes": [{"at": "4.2.1.1", "status": "unaffected"}], "lessThanOrEqual": "4.2.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:18:28.660Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Javier Casares WPVulnerability wpvulnerability allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects WPVulnerability: from n/a through <= 4.2.1.</p>"}], "value": "Missing Authorization vulnerability in Javier Casares WPVulnerability wpvulnerability allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPVulnerability: from n/a through <= 4.2.1."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:48.339Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/wpvulnerability/vulnerability/wordpress-wpvulnerability-plugin-4-2-1-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress WPVulnerability plugin <= 4.2.1 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T16:44:58.068942Z", "id": "CVE-2026-24376", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T14:02:53.584Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24376", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-22T14:42:40.516Z", "datePublished": "2026-03-25T16:14:32.352Z", "dateUpdated": "2026-04-28T14:02:53.584Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "wpvulnerability", "product": "WPVulnerability", "vendor": "Javier Casares", "versions": [{"changes": [{"at": "4.2.1.1", "status": "unaffected"}], "lessThanOrEqual": "4.2.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:18:28.660Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Javier Casares WPVulnerability wpvulnerability allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects WPVulnerability: from n/a through <= 4.2.1.</p>"}], "value": "Missing Authorization vulnerability in Javier Casares WPVulnerability wpvulnerability allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPVulnerability: from n/a through <= 4.2.1."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:04.966Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/wpvulnerability/vulnerability/wordpress-wpvulnerability-plugin-4-2-1-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress WPVulnerability plugin <= 4.2.1 - Broken Access Control vulnerability"}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24376", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T16:44:58.068942Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T16:32:32.639Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Javier Casares WPVulnerability wpvulnerability allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPVulnerability: from n/a through <= 4.2.1."}, {"lang": "es", "value": "Vulnerabilidad por falta de autorizaci\u00f3n en Javier Casares WPVulnerability wpvulnerability permite la explotaci\u00f3n de niveles de seguridad de control de acceso mal configurados. Este problema afecta a WPVulnerability: desde n/a hasta &lt;= 4.2.1."}], "id": "CVE-2026-24376", "lastModified": "2026-04-28T15:16:07.810", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-03-25T17:16:37.930", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/wpvulnerability/vulnerability/wordpress-wpvulnerability-plugin-4-2-1-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.2.1]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "4.2.1.1"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "WPVulnerability", "source": "cna", "vendor": "Javier Casares"}, "product": "wpvulnerability", "vendor": "javier_casares"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-26T19:09:38.791961+00:00", "value": {"mitigation_remediation": ["Update the WPVulnerability plugin to the latest available version (4.2.2 or newer).", "Verify the upgrade by confirming the plugin version number in the WordPress administration panel."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Access"}, "threat_synthesis": {"affected_systems": "The affected product is the WPVulnerability plugin developed by Javier Casares for WordPress. All releases with a version number of 4.2.1 or earlier are vulnerable; versions newer than 4.2.1 are not documented as affected.", "description_and_impact": "A missing authorization check in the WPVulnerability plugin allows users that should not have privileges to view or change sensitive settings. This flaw permits an attacker to bypass normal access controls to the plugin\u2019s configuration and potentially other protected resources, leading to unauthorized data exposure or modification. The weakness corresponds to a broken access control vulnerability classified as CWE\u2011862 and carries a moderate severity rating.", "risk_and_exploitability": "The CVSS score of 6.5 indicates a moderate risk, and the EPSS score of less than 1% suggests that large\u2011scale exploitation is currently unlikely. The flaw does not require any privileged state on the server; access can be achieved remotely by interacting with the plugin\u2019s administrative endpoints, a conclusion inferred from the description of missing authorization. Although no public exploits are listed and the issue is not featured in CISA\u2019s KEV catalog, the potential for unauthorized control warrants timely remediation."}}}}, "created": "2026-03-25T21:34:45.868515+00:00", "updated": "2026-03-27T09:46:27.127092+00:00", "vendors": ["javier_casares", "javier_casares$PRODUCT$wpvulnerability", "wordpress", "wordpress$PRODUCT$wordpress"]}