{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24622", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-23T12:32:28.686Z", "datePublished": "2026-01-23T14:29:06.858Z", "dateUpdated": "2026-04-28T16:14:50.669Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "suggestion-toolkit", "product": "Suggestion Toolkit", "vendor": "Sergiy Dzysyak", "versions": [{"lessThanOrEqual": "5.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Mrreee | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:20:47.699Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Sergiy Dzysyak Suggestion Toolkit suggestion-toolkit allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Suggestion Toolkit: from n/a through <= 5.0.</p>"}], "value": "Missing Authorization vulnerability in Sergiy Dzysyak Suggestion Toolkit suggestion-toolkit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Suggestion Toolkit: from n/a through <= 5.0."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:50.669Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/suggestion-toolkit/vulnerability/wordpress-suggestion-toolkit-plugin-5-0-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Suggestion Toolkit plugin <= 5.0 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-23T16:00:41.795994Z", "id": "CVE-2026-24622", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T14:40:40.651Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24622", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-23T16:00:41.795994Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-23T15:59:49.948Z"}}], "cna": {"title": "WordPress Suggestion Toolkit plugin <= 5.0 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Mrreee | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Sergiy Dzysyak", "product": "Suggestion Toolkit", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "5.0"}], "packageName": "suggestion-toolkit", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:20:47.699Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/suggestion-toolkit/vulnerability/wordpress-suggestion-toolkit-plugin-5-0-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Sergiy Dzysyak Suggestion Toolkit suggestion-toolkit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Suggestion Toolkit: from n/a through <= 5.0.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in Sergiy Dzysyak Suggestion Toolkit suggestion-toolkit allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Suggestion Toolkit: from n/a through <= 5.0.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:07.086Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24622", "state": "PUBLISHED", "dateUpdated": "2026-04-28T14:40:40.651Z", "dateReserved": "2026-01-23T12:32:28.686Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-23T14:29:06.858Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Sergiy Dzysyak Suggestion Toolkit suggestion-toolkit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Suggestion Toolkit: from n/a through <= 5.0."}, {"lang": "es", "value": "Vulnerabilidad de falta de autorizaci\u00f3n en Sergiy Dzysyak Suggestion Toolkit suggestion-toolkit permite explotar niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a Suggestion Toolkit: desde n/a hasta &lt;= 5.0."}], "id": "CVE-2026-24622", "lastModified": "2026-04-28T15:16:20.403", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-01-23T15:16:21.350", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/suggestion-toolkit/vulnerability/wordpress-suggestion-toolkit-plugin-5-0-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-16T17:44:09.829716+00:00", "value": {"mitigation_remediation": ["Upgrade Suggestion Toolkit to a version newer than 5.0", "Remove the plugin if it is not required for site functionality", "Ensure only trusted user roles have administrative access to the plugin\u2019s settings and audit any custom role or capability configurations that might expose restricted functions"], "summary": {"action": "Apply Patch", "impact": "Authorization bypass leading to unauthorized access to protected plugin functionality"}, "threat_synthesis": {"affected_systems": "WordPress sites that have installed the Suggestion Toolkit plugin from Sergiy Dzysyak, version 5.0 or earlier, are affected. Any installation that has not upgraded past the 5.0 release and relies on this plugin for any functionality is susceptible. Site administrators should verify the plugin version and review the vendor\u2019s release notes for updates.", "description_and_impact": "The vulnerability is a missing authorization check in the Suggestion Toolkit WordPress plugin, allowing users without proper privileges to perform actions or view data that the plugin protects. This flaw can result in unauthorized data exposure or manipulation of plugin settings, threatening the integrity of the site\u2019s content and configuration. The weakness is classified as CWE\u2011862: Broken Access Control.", "risk_and_exploitability": "The CVSS score of 5.4 places this vulnerability in the medium severity range, and the EPSS score indicates a low likelihood of exploitation. It is not listed in the CISA KEV catalog, suggesting no known widespread exploitation. The attack vector is not explicitly detailed in the advisory; however, it is inferred that an attacker would need to send HTTP requests to plugin endpoints that lack proper access controls, and may require either valid credentials or the ability to create user accounts with insufficient restrictions. Proper configuration and up\u2011to\u2011date versions significantly reduce the risk."}}}}, "created": "2026-01-26T11:53:05.157925+00:00", "updated": "2026-04-16T17:45:27.383797+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}