{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24599", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-23T12:32:12.343Z", "datePublished": "2026-01-23T14:29:02.765Z", "dateUpdated": "2026-04-28T16:14:50.164Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "woo-thank-you-page-nextmove-lite", "product": "NextMove Lite", "vendor": "XLPlugins", "versions": [{"changes": [{"at": "2.24.0", "status": "unaffected"}], "lessThanOrEqual": "2.23.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "PPzzAArr | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:06:09.633Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Authorization Bypass Through User-Controlled Key vulnerability in XLPlugins NextMove Lite woo-thank-you-page-nextmove-lite allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects NextMove Lite: from n/a through <= 2.23.0.</p>"}], "value": "Authorization Bypass Through User-Controlled Key vulnerability in XLPlugins NextMove Lite woo-thank-you-page-nextmove-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects NextMove Lite: from n/a through <= 2.23.0."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "description": "Authorization Bypass Through User-Controlled Key", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:50.164Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/woo-thank-you-page-nextmove-lite/vulnerability/wordpress-nextmove-lite-plugin-2-23-0-insecure-direct-object-references-idor-vulnerability?_s_id=cve"}], "title": "WordPress NextMove Lite plugin <= 2.23.0 - Insecure Direct Object References (IDOR) vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-23T20:40:02.795470Z", "id": "CVE-2026-24599", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T14:38:40.279Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24599", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-23T20:40:02.795470Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-23T20:37:47.261Z"}}], "cna": {"title": "WordPress NextMove Lite plugin <= 2.23.0 - Insecure Direct Object References (IDOR) vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "PPzzAArr | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "XLPlugins", "product": "NextMove Lite", "versions": [{"status": "affected", "changes": [{"at": "2.24.0", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "2.23.0"}], "packageName": "woo-thank-you-page-nextmove-lite", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-28T13:26:25.287Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/woo-thank-you-page-nextmove-lite/vulnerability/wordpress-nextmove-lite-plugin-2-23-0-insecure-direct-object-references-idor-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Authorization Bypass Through User-Controlled Key vulnerability in XLPlugins NextMove Lite woo-thank-you-page-nextmove-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects NextMove Lite: from n/a through <= 2.23.0.", "supportingMedia": [{"type": "text/html", "value": "Authorization Bypass Through User-Controlled Key vulnerability in XLPlugins NextMove Lite woo-thank-you-page-nextmove-lite allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects NextMove Lite: from n/a through <= 2.23.0.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T12:10:45.336Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24599", "state": "PUBLISHED", "dateUpdated": "2026-04-28T14:38:40.279Z", "dateReserved": "2026-01-23T12:32:12.343Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-23T14:29:02.765Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Authorization Bypass Through User-Controlled Key vulnerability in XLPlugins NextMove Lite woo-thank-you-page-nextmove-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects NextMove Lite: from n/a through <= 2.23.0."}, {"lang": "es", "value": "Vulnerabilidad de elusi\u00f3n de autorizaci\u00f3n a trav\u00e9s de clave controlada por el usuario en XLPlugins NextMove Lite woo-thank-you-page-nextmove-lite permite explotar niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a NextMove Lite: desde n/a hasta &lt;= 2.23.0."}], "id": "CVE-2026-24599", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-01-23T15:16:18.110", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/woo-thank-you-page-nextmove-lite/vulnerability/wordpress-nextmove-lite-plugin-2-23-0-insecure-direct-object-references-idor-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-16T01:34:43.132934+00:00", "value": {"mitigation_remediation": ["Upgrade NextMove Lite to a version higher than 2.23.0 where the IDOR fix is applied.", "Review and tighten the plugin\u2019s role and capability settings, ensuring that only administrators or appropriately privileged users can access and modify thank\u2011you page data.", "Verify that WordPress user roles have not been granted unnecessary capabilities such as \"Edit other user\u2019s data,\" and remove any custom user\u2011controlled keys that bypass standard access checks."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Object Access"}, "threat_synthesis": {"affected_systems": "Vendors impacted include XLPlugins, specifically the NextMove Lite woo\u2011thank\u2011you\u2011page\u2011nextmove\u2011lite plugin for all versions up to and including 2.23.0. Any WordPress installation using this plugin within that version range may be susceptible. No specific stripping of affected sub\u2011versions is provided, so the entire range from the first release to 2.23.0 is considered at risk.\n", "description_and_impact": "The NextMove Lite WordPress plugin suffers from an Insecure Direct Object Reference flaw that allows an attacker to manipulate the user-controlled key used in accessing plugin resources. By altering request parameters, an unauthorized individual may access, view, or modify data intended only for privileged users. The weakness stems from improper validation of authorization checks, classified as CWE-639. The vulnerability can lead to unauthorized information disclosure or modification of the thank\u2011you page content and related settings, compromising the integrity of the site\u2019s checkout flow.\n", "risk_and_exploitability": "The CVSS base score of 5.3 indicates a moderate severity, while the EPSS probability is below 1\u202f%, showing a low likelihood of exploitation in the near term. The flaw is not listed in the CISA KEV catalog, suggesting it has not yet been widely exploited, but that does not mitigate the potential impact. An attacker would need network or application access to launch the exploit, and if successful, could bypass normal authorization controls in the plugin. Because the vulnerability is tied to user\u2011controlled keys, it can be exercised by anyone with knowledge of the key structure, potentially in a public or low\u2011privilege user context.\n"}}}}, "created": "2026-01-26T11:53:29.997102+00:00", "updated": "2026-04-16T01:45:20.650025+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "xlplugins", "xlplugins$PRODUCT$nextmove"]}