{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24569", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-23T12:31:58.117Z", "datePublished": "2026-01-23T14:28:56.622Z", "dateUpdated": "2026-04-28T16:14:49.341Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "media-library-file-size", "product": "Media Library File Size", "vendor": "Sully", "versions": [{"changes": [{"at": "1.6.8", "status": "unaffected"}], "lessThanOrEqual": "1.6.7", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:20:55.134Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Sully Media Library File Size media-library-file-size allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Media Library File Size: from n/a through <= 1.6.7.</p>"}], "value": "Missing Authorization vulnerability in Sully Media Library File Size media-library-file-size allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Media Library File Size: from n/a through <= 1.6.7."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:49.341Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/media-library-file-size/vulnerability/wordpress-media-library-file-size-plugin-1-6-7-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Media Library File Size plugin <= 1.6.7 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-26T18:43:40.271436Z", "id": "CVE-2026-24569", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T14:27:18.205Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24569", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-26T18:43:40.271436Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-26T18:43:36.993Z"}}], "cna": {"title": "WordPress Media Library File Size plugin <= 1.6.7 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Sully", "product": "Media Library File Size", "versions": [{"status": "affected", "changes": [{"at": "1.6.8", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "1.6.7"}], "packageName": "media-library-file-size", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:20:55.134Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/media-library-file-size/vulnerability/wordpress-media-library-file-size-plugin-1-6-7-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Sully Media Library File Size media-library-file-size allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Media Library File Size: from n/a through <= 1.6.7.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in Sully Media Library File Size media-library-file-size allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Media Library File Size: from n/a through <= 1.6.7.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:06.136Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24569", "state": "PUBLISHED", "dateUpdated": "2026-04-28T14:27:18.205Z", "dateReserved": "2026-01-23T12:31:58.117Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-23T14:28:56.622Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Sully Media Library File Size media-library-file-size allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Media Library File Size: from n/a through <= 1.6.7."}, {"lang": "es", "value": "Vulnerabilidad por ausencia de autorizaci\u00f3n en Sully Media librer\u00eda Tama\u00f1o de Archivo media-library-file-size permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a Media Library File Size: desde n/a hasta &lt;= 1.6.7."}], "id": "CVE-2026-24569", "lastModified": "2026-04-28T15:16:15.377", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-01-23T15:16:14.733", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/media-library-file-size/vulnerability/wordpress-media-library-file-size-plugin-1-6-7-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-16T07:28:05.198347+00:00", "value": {"mitigation_remediation": ["Upgrade the Media Library File Size plug\u2011in to a version newer than 1.6.7 that removes the missing authorization flaw.", "If an immediate upgrade is not possible, restrict access to the plug\u2011in\u2019s admin URLs by configuring the site\u2019s .htaccess file or using a security plug\u2011in to allow only administrators to reach the \"media-library-file-size\" endpoints.", "Review the WordPress site\u2019s role\u2011based permissions to ensure that only users with administrative privileges can manage plug\u2011in settings or media library files."], "summary": {"action": "Patch", "impact": "Unauthorized access to plugin functionality"}, "threat_synthesis": {"affected_systems": "WordPress Media Library File Size plug\u2011in released by Sully, affecting all releases up through and including version 1.6.7.", "description_and_impact": "The CVE identifies a missing authorization flaw in the Media Library File Size plug\u2011in (Sully). The vulnerability allows attackers to exploit incorrectly configured access control, potentially granting unauthorized users the ability to modify plugin settings or access media resources. This weakness is classified as CWE\u2011862. The description does not mention remote code execution or direct data exfiltration capabilities.", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate severity and the EPSS score of less than 1% suggests a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to reach the WordPress site via the web interface and leverage the plug\u2011in\u2019s administrative endpoints that lack proper authorization checks. The CVE text does not specify the exact interaction method; the likely attack vector is inferred from the plugin\u2019s admin functionality, though this inference is not explicitly stated in the CVE data."}}}}, "created": "2026-01-26T11:53:22.017670+00:00", "updated": "2026-04-16T07:30:28.608595+00:00", "vendors": ["sully", "sully$PRODUCT$media_library_file_size", "wordpress", "wordpress$PRODUCT$wordpress"]}