{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24616", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-23T12:32:24.372Z", "datePublished": "2026-01-23T14:29:05.461Z", "dateUpdated": "2026-04-28T16:14:50.395Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "wp-popups-lite", "product": "WP Popups", "vendor": "Damian", "versions": [{"changes": [{"at": "2.2.0.6", "status": "unaffected"}], "lessThanOrEqual": "2.2.0.5", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "theviper17 | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:04:49.641Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Damian WP Popups wp-popups-lite allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects WP Popups: from n/a through <= 2.2.0.5.</p>"}], "value": "Missing Authorization vulnerability in Damian WP Popups wp-popups-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Popups: from n/a through <= 2.2.0.5."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:50.395Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/wp-popups-lite/vulnerability/wordpress-wp-popups-plugin-2-2-0-3-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress WP Popups plugin <= 2.2.0.5 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-23T17:49:07.107453Z", "id": "CVE-2026-24616", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T14:38:51.351Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24616", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-23T17:49:07.107453Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-23T17:49:03.229Z"}}], "cna": {"title": "WordPress WP Popups plugin <= 2.2.0.5 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "theviper17 | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Damian", "product": "WP Popups", "versions": [{"status": "affected", "changes": [{"at": "2.2.0.6", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "2.2.0.5"}], "packageName": "wp-popups-lite", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-28T13:26:27.072Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/wp-popups-lite/vulnerability/wordpress-wp-popups-plugin-2-2-0-3-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Damian WP Popups wp-popups-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Popups: from n/a through <= 2.2.0.5.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in Damian WP Popups wp-popups-lite allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects WP Popups: from n/a through <= 2.2.0.5.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T12:10:46.161Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24616", "state": "PUBLISHED", "dateUpdated": "2026-04-28T14:38:51.351Z", "dateReserved": "2026-01-23T12:32:24.372Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-23T14:29:05.461Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Damian WP Popups wp-popups-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Popups: from n/a through <= 2.2.0.5."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en Damian WP Popups wp-popups-lite permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a WP Popups: desde n/a hasta &lt;= 2.2.0.3."}], "id": "CVE-2026-24616", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-01-23T15:16:20.570", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/wp-popups-lite/vulnerability/wordpress-wp-popups-plugin-2-2-0-3-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-16T01:30:03.926110+00:00", "value": {"mitigation_remediation": ["Upgrade the WP Popups plugin to the latest released version that addresses the missing authorization flaw", "If an immediate upgrade is not possible, enforce the least\u2011privilege model: limit access to the plugin\u2019s settings to users with super\u2011admin rights only", "As a temporary measure, deactivate the WP Popups plugin until a secure version is available"], "summary": {"action": "Patch Immediately", "impact": "Unauthorized Access to Plugin Settings"}, "threat_synthesis": {"affected_systems": "The issue affects the Damian WP Popups wp-popups-lite plugin through any build up to and including version 2.2.0.5. Users running any of these versions on their WordPress installations are susceptible.", "description_and_impact": "A missing authorization check in the WP Popups (wp-popups-lite) plugin for versions up to 2.2.0.5 allows an attacker to bypass the intended access controls and manipulate plugin configurations or content. The vulnerability arises from incorrectly configured security levels that do not enforce proper permission checks. Exploitation can lead to unauthorized modification of popup settings, injection of malicious content, or exposure of confidential content hosted by the plugin, compromising the integrity and confidentiality of the site.", "risk_and_exploitability": "The CVSS score of 6.5 places the vulnerability in the medium\u2011to\u2011high severity range. The EPSS score of less than 1% indicates a low but non\u2011zero likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be via the web interface, where an authenticated user with sufficient privileges\u2014such as an account lacking proper role restrictions\u2014could reach the plugin\u2019s configuration pages and alter settings without further permissions. The absence of an explicit workaround suggests that the only viable mitigations revolve around applying a patch or disabling the plugin."}}}}, "created": "2026-01-26T11:53:19.770637+00:00", "updated": "2026-04-16T01:30:20.317549+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}