{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24561", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-23T12:31:58.117Z", "datePublished": "2026-01-23T14:28:55.132Z", "dateUpdated": "2026-04-28T16:14:49.311Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "fluent-boards", "product": "FluentBoards", "vendor": "Mahmudul Hasan Arif", "versions": [{"changes": [{"at": "1.9.1.2", "status": "unaffected"}], "lessThanOrEqual": "1.91.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:20:56.285Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Mahmudul Hasan Arif FluentBoards fluent-boards allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects FluentBoards: from n/a through <= 1.91.1.</p>"}], "value": "Missing Authorization vulnerability in Mahmudul Hasan Arif FluentBoards fluent-boards allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FluentBoards: from n/a through <= 1.91.1."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:49.311Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/fluent-boards/vulnerability/wordpress-fluentboards-plugin-1-91-1-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress FluentBoards plugin <= 1.91.1 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-23T20:01:37.752427Z", "id": "CVE-2026-24561", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T14:24:57.131Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24561", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-23T20:01:37.752427Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-23T19:59:52.508Z"}}], "cna": {"title": "WordPress FluentBoards plugin <= 1.91.1 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Mahmudul Hasan Arif", "product": "FluentBoards", "versions": [{"status": "affected", "changes": [{"at": "1.9.1.2", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "1.91.1"}], "packageName": "fluent-boards", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:20:56.285Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/fluent-boards/vulnerability/wordpress-fluentboards-plugin-1-91-1-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Mahmudul Hasan Arif FluentBoards fluent-boards allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FluentBoards: from n/a through <= 1.91.1.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in Mahmudul Hasan Arif FluentBoards fluent-boards allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects FluentBoards: from n/a through <= 1.91.1.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:06.197Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24561", "state": "PUBLISHED", "dateUpdated": "2026-04-28T14:24:57.131Z", "dateReserved": "2026-01-23T12:31:58.117Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-23T14:28:55.132Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Mahmudul Hasan Arif FluentBoards fluent-boards allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FluentBoards: from n/a through <= 1.91.1."}, {"lang": "es", "value": "Vulnerabilidad de falta de autorizaci\u00f3n Mahmudul Hasan Arif FluentBoards fluent-boards permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a FluentBoards: desde n/a hasta &lt;= 1.91.1."}], "id": "CVE-2026-24561", "lastModified": "2026-04-28T15:16:14.357", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-01-23T15:16:13.487", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/fluent-boards/vulnerability/wordpress-fluentboards-plugin-1-91-1-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-16T01:44:20.631330+00:00", "value": {"mitigation_remediation": ["Upgrade FluentBoards to a version newer than 1.91.1 to remove the broken access control flaw.", "Reevaluate and tighten role\u2011based permissions within the plugin to ensure only authorized users can access sensitive configuration options.", "If an upgrade is not immediately available, disable or remove the plugin until the issue is fixed by the vendor."], "summary": {"action": "Patch Now", "impact": "Unauthorized access to plugin configuration and content"}, "threat_synthesis": {"affected_systems": "All installations of the Mahmudul Hasan Arif FluentBoards plugin from the unspecified earliest release up to and including version 1.91.1 are affected. Users deploying these versions should verify the exact build and coordinate an update.", "description_and_impact": "The FluentBoards plugin for WordPress contains a missing authorization flaw that permits attackers to exploit incorrectly configured access control security settings. This weakness, identified as CWE-862, enables a user to view or modify sensitive board data and configuration beyond their intended permissions, potentially leading to data exposure or unauthorized content changes.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 5.4, indicating moderate severity, and an EPSS score of less than 1\u202f%, suggesting a low probability of exploitation in the wild. It is not listed in the CISA KEV catalog, further implying limited current exploitation activity. The likely attack vector is through a compromised or insufficiently privileged account that can manipulate plugin settings, underscoring the need for timely remediation."}}}}, "created": "2026-01-26T11:53:29.269244+00:00", "updated": "2026-04-16T01:45:20.659947+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}