{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24578", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-23T12:32:02.839Z", "datePublished": "2026-01-23T14:28:58.618Z", "dateUpdated": "2026-04-28T16:14:49.742Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "admin-login-url-change", "product": "Admin login URL Change", "vendor": "Jahid Hasan", "versions": [{"lessThanOrEqual": "1.1.5", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Mohamad Fattyr | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:20:54.960Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Jahid Hasan Admin login URL Change admin-login-url-change allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Admin login URL Change: from n/a through <= 1.1.5.</p>"}], "value": "Missing Authorization vulnerability in Jahid Hasan Admin login URL Change admin-login-url-change allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Admin login URL Change: from n/a through <= 1.1.5."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:49.742Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/admin-login-url-change/vulnerability/wordpress-admin-login-url-change-plugin-1-1-5-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Admin login URL Change plugin <= 1.1.5 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-26T18:37:49.610448Z", "id": "CVE-2026-24578", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T14:29:26.568Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24578", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-26T18:37:49.610448Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-26T18:37:43.127Z"}}], "cna": {"title": "WordPress Admin login URL Change plugin <= 1.1.5 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Mohamad Fattyr | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Jahid Hasan", "product": "Admin login URL Change", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.1.5"}], "packageName": "admin-login-url-change", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:20:54.960Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/admin-login-url-change/vulnerability/wordpress-admin-login-url-change-plugin-1-1-5-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Jahid Hasan Admin login URL Change admin-login-url-change allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Admin login URL Change: from n/a through <= 1.1.5.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in Jahid Hasan Admin login URL Change admin-login-url-change allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Admin login URL Change: from n/a through <= 1.1.5.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:06.739Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24578", "state": "PUBLISHED", "dateUpdated": "2026-04-28T14:29:26.568Z", "dateReserved": "2026-01-23T12:32:02.839Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-23T14:28:58.618Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Jahid Hasan Admin login URL Change admin-login-url-change allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Admin login URL Change: from n/a through <= 1.1.5."}, {"lang": "es", "value": "Vulnerabilidad de falta de autorizaci\u00f3n en Jahid Hasan Admin login URL Change admin-login-url-change permite explotar niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a Admin login URL Change: desde n/a hasta &lt;= 1.1.5."}], "id": "CVE-2026-24578", "lastModified": "2026-04-28T15:16:16.247", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-01-23T15:16:15.623", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/admin-login-url-change/vulnerability/wordpress-admin-login-url-change-plugin-1-1-5-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-16T07:27:16.560490+00:00", "value": {"mitigation_remediation": ["Upgrade the Admin login URL Change plugin to any release newer than 1.1.5 to remove the missing authorization flaw.", "If an upgrade cannot be performed immediately, restrict access to the plugin\u2019s endpoints by limiting them to administrator roles using WordPress\u2019s role\u2011based access controls, or by adding server\u2011level restrictions such as .htaccess rules.", "Disable the plugin entirely if the functionality is not required, and verify that no other components rely on it before doing so."], "summary": {"action": "Assess and Patch", "impact": "Unauthorized access due to missing authorization"}, "threat_synthesis": {"affected_systems": "WordPress sites that have installed Jahid Hasan\u2019s Admin login URL Change plugin, versions up through 1.1.5. The flaw affects the entire plugin codebase and any WordPress installation that has not upgraded beyond the affected version.", "description_and_impact": "A missing authorization flaw in the Admin login URL Change plugin allows an attacker to bypass standard access controls, enabling operations that should be restricted to privileged users. The vulnerability stems from incorrectly configured access control security levels, meaning ordinary users, or potentially unauthenticated actors, can exploit the plugin\u2019s functionality to gain elevated privileges or manipulate login URLs. This broken access control flaw (CWE\u2011862) directly threatens the confidentiality, integrity, and availability of the site\u2019s administrative functions.", "risk_and_exploitability": "The CVSS base score of 4.3 places this issue in the moderate severity range, and the EPSS score of less than 1\u202f% indicates a low probability of being actively exploited in the wild. The vulnerability is not listed in CISA\u2019s known\u2011exploited catalog. The likely attack vector is through the web interface of the plugin, where an attacker can send crafted requests to APIs or endpoints without verifying user roles. The lack of authentication checks enables successful exploitation, yielding unauthorized administrative access on affected sites."}}}}, "created": "2026-01-26T11:52:41.873702+00:00", "updated": "2026-04-16T07:30:28.607331+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}