{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24532", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-23T12:31:40.820Z", "datePublished": "2026-01-23T14:28:50.669Z", "dateUpdated": "2026-04-28T16:14:48.776Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "sitelock", "product": "SiteLock Security \u2013 WP Hardening, Login Security & Malware Scans", "vendor": "SiteLock", "versions": [{"changes": [{"at": "5.0.3", "status": "unaffected"}], "lessThanOrEqual": "5.0.2", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:20:57.173Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in SiteLock SiteLock Security \u2013 WP Hardening, Login Security & Malware Scans sitelock allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects SiteLock Security \u2013 WP Hardening, Login Security & Malware Scans: from n/a through <= 5.0.2.</p>"}], "value": "Missing Authorization vulnerability in SiteLock SiteLock Security \u2013 WP Hardening, Login Security & Malware Scans sitelock allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SiteLock Security \u2013 WP Hardening, Login Security & Malware Scans: from n/a through <= 5.0.2."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:48.776Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/sitelock/vulnerability/wordpress-sitelock-security-plugin-5-0-2-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress SiteLock Security plugin <= 5.0.2 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-28T14:14:24.674924Z", "id": "CVE-2026-24532", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T14:14:27.403Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24532", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-23T12:31:40.820Z", "datePublished": "2026-01-23T14:28:50.669Z", "dateUpdated": "2026-04-28T14:14:27.403Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "sitelock", "product": "SiteLock Security \u2013 WP Hardening, Login Security & Malware Scans", "vendor": "SiteLock", "versions": [{"changes": [{"at": "5.0.3", "status": "unaffected"}], "lessThanOrEqual": "5.0.2", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:20:57.173Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in SiteLock SiteLock Security \u2013 WP Hardening, Login Security & Malware Scans sitelock allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects SiteLock Security \u2013 WP Hardening, Login Security & Malware Scans: from n/a through <= 5.0.2.</p>"}], "value": "Missing Authorization vulnerability in SiteLock SiteLock Security \u2013 WP Hardening, Login Security & Malware Scans sitelock allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SiteLock Security \u2013 WP Hardening, Login Security & Malware Scans: from n/a through <= 5.0.2."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:05.655Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/sitelock/vulnerability/wordpress-sitelock-security-plugin-5-0-2-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress SiteLock Security plugin <= 5.0.2 - Broken Access Control vulnerability"}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24532", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-28T14:14:24.674924Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-26T19:08:53.558Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in SiteLock SiteLock Security \u2013 WP Hardening, Login Security & Malware Scans sitelock allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SiteLock Security \u2013 WP Hardening, Login Security & Malware Scans: from n/a through <= 5.0.2."}, {"lang": "es", "value": "Vulnerabilidad por autorizaci\u00f3n faltante en SiteLock SiteLock Security sitelock permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a SiteLock Security: desde n/a hasta &lt;= 5.0.2."}], "id": "CVE-2026-24532", "lastModified": "2026-04-28T15:16:10.983", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-01-23T15:16:09.273", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/sitelock/vulnerability/wordpress-sitelock-security-plugin-5-0-2-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-29T00:56:51.108849+00:00", "value": {"mitigation_remediation": ["Apply the vendor\u2011supplied patch by upgrading SiteLock Security \u2013 WP Hardening, Login Security & Malware Scans to the latest release that contains the authorization fix.", "If an update is not available, temporarily disable the plugin until a vendor fix is released.", "Restrict administrative access to the plugin\u2019s endpoints by enforcing HTTPS, using role\u2011based restrictions, and limiting access to trusted IP addresses."], "summary": {"action": "Patch", "impact": "Unauthorized access due to missing authorization controls"}, "threat_synthesis": {"affected_systems": "All installations of SiteLock Security \u2013 WP Hardening, Login Security & Malware Scans from the earliest available versions up to and including 5.0.2 are vulnerable. The product is offered by SiteLock, and any site running one of these versions is at risk regardless of its WordPress version.", "description_and_impact": "The SiteLock Security \u2013 WP Hardening, Login Security & Malware Scans plugin contains a missing authorization flaw that lets attackers bypass the plugin\u2019s configured security levels. Classified as CWE\u2011862, the vulnerability allows an attacker to reach administrative endpoints that should be restricted, potentially exposing plugin settings and other sensitive data. While the description does not note arbitrary code execution, the loss of access control threatens the confidentiality and integrity of the WordPress site.", "risk_and_exploitability": "With a CVSS score of 4.3 this vulnerability is moderate severity. The EPSS score is below 1\u202f%, indicating a relatively low probability of exploitation in the wild, and it is not listed in the CISA KEV catalog. Attackers would likely target the plugin via web\u2011based administrative interfaces, crafting requests that exploit the missing access control to gain unauthorized access. The lack of mitigations beyond proper authorization makes the flaw a serious threat when the site is exposed to the network."}}}}, "created": "2026-01-26T11:54:43.989438+00:00", "updated": "2026-04-29T01:00:11.409971+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}