{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24382", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-22T14:42:40.516Z", "datePublished": "2026-03-25T16:14:32.688Z", "dateUpdated": "2026-04-28T16:14:48.412Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "news-magazine-x", "product": "News Magazine X", "vendor": "wproyal", "versions": [{"changes": [{"at": "1.2.51", "status": "unaffected"}], "lessThanOrEqual": "1.2.50", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "John P | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:18:29.181Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in wproyal News Magazine X news-magazine-x allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects News Magazine X: from n/a through <= 1.2.50.</p>"}], "value": "Missing Authorization vulnerability in wproyal News Magazine X news-magazine-x allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects News Magazine X: from n/a through <= 1.2.50."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:48.412Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/news-magazine-x/vulnerability/wordpress-news-magazine-x-theme-1-2-50-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress News Magazine X theme <= 1.2.50 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T19:39:17.652549Z", "id": "CVE-2026-24382", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T14:05:02.026Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24382", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-22T14:42:40.516Z", "datePublished": "2026-03-25T16:14:32.688Z", "dateUpdated": "2026-04-28T14:05:02.026Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "news-magazine-x", "product": "News Magazine X", "vendor": "wproyal", "versions": [{"changes": [{"at": "1.2.51", "status": "unaffected"}], "lessThanOrEqual": "1.2.50", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "John P | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:18:29.181Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in wproyal News Magazine X news-magazine-x allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects News Magazine X: from n/a through <= 1.2.50.</p>"}], "value": "Missing Authorization vulnerability in wproyal News Magazine X news-magazine-x allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects News Magazine X: from n/a through <= 1.2.50."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:05.047Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/news-magazine-x/vulnerability/wordpress-news-magazine-x-theme-1-2-50-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress News Magazine X theme <= 1.2.50 - Broken Access Control vulnerability"}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24382", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T19:39:17.652549Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T19:39:12.223Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in wproyal News Magazine X news-magazine-x allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects News Magazine X: from n/a through <= 1.2.50."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en wproyal News Magazine X news-magazine-x permite explotar niveles de seguridad de control de acceso incorrectamente configurados. Este problema afecta a News Magazine X: desde n/a hasta &lt;= 1.2.50."}], "id": "CVE-2026-24382", "lastModified": "2026-04-28T15:16:08.590", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-03-25T17:16:38.237", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/news-magazine-x/vulnerability/wordpress-news-magazine-x-theme-1-2-50-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.2.50]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[1.2.51,*]"}}], "enrichment": {"confidence": 85.0, "confidence_source": "matching", "scores": [{"score": 85.0, "source": "matching"}]}, "original": {"product": "News Magazine X", "source": "cna", "vendor": "wproyal"}, "product": "news_magazine_x", "vendor": "wp-royal-themes"}], "analysis": {"en": {"generated_at": "2026-03-26T23:35:57.606027+00:00", "value": {"mitigation_remediation": ["Update the News Magazine X theme to the latest version available from the vendor.", "Ensure that the upgrade has been applied and remove any older theme files from the WordPress installation.", "Restrict access to theme configuration screens to only trusted administrators.", "Verify that the theme\u2019s URLs and API endpoints are protected by proper authentication and authorization checks."], "summary": {"action": "Patch", "impact": "Unauthorized Administrative Access"}, "threat_synthesis": {"affected_systems": "WordPress sites that have the News Magazine X theme version 1.2.50 or earlier are affected. Versions beyond 1.2.50 have ceased support for this issue. The vulnerability does not impact WordPress core or other themes.", "description_and_impact": "The News Magazine X theme contains a missing authorization check that permits the exploitation of incorrectly configured access control levels. Attackers could gain unauthorized access to functions that should be restricted to administrators, potentially enabling the modification or deletion of site content or settings. This flaw is a classic example of broken access control (CWE\u2011862).", "risk_and_exploitability": "The CVSS score of 7.5 highlights a high severity issue, while the EPSS score of less than 1\u202f% shows a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector is web\u2011based, involving crafted HTTP requests to the theme\u2019s administrative or public endpoints where the authorization check is missing; this inference is made because the description refers to a missing authorization in web interfaces. Exploitation would require access to these endpoints and a user interface that does not enforce proper permission checks."}}}}, "created": "2026-03-25T21:34:43.939484+00:00", "updated": "2026-03-27T09:46:25.000806+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wp-royal-themes", "wp-royal-themes$PRODUCT$news_magazine_x"]}