{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24627", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-23T12:32:28.686Z", "datePublished": "2026-01-23T14:29:07.850Z", "dateUpdated": "2026-04-28T16:14:50.801Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "trusona", "product": "Trusona for WordPress", "vendor": "Trusona", "versions": [{"lessThanOrEqual": "2.0.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Legion Hunter | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:20:50.127Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Trusona Trusona for WordPress trusona allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Trusona for WordPress: from n/a through <= 2.0.0.</p>"}], "value": "Missing Authorization vulnerability in Trusona Trusona for WordPress trusona allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Trusona for WordPress: from n/a through <= 2.0.0."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:50.801Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/trusona/vulnerability/wordpress-trusona-for-wordpress-plugin-2-0-0-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Trusona for WordPress plugin <= 2.0.0 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-23T17:03:51.873661Z", "id": "CVE-2026-24627", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T14:45:39.766Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24627", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-23T17:03:51.873661Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-23T17:03:46.582Z"}}], "cna": {"title": "WordPress Trusona for WordPress plugin <= 2.0.0 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Legion Hunter | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Trusona", "product": "Trusona for WordPress", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "2.0.0"}], "packageName": "trusona", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:20:50.127Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/trusona/vulnerability/wordpress-trusona-for-wordpress-plugin-2-0-0-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Trusona Trusona for WordPress trusona allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Trusona for WordPress: from n/a through <= 2.0.0.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in Trusona Trusona for WordPress trusona allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Trusona for WordPress: from n/a through <= 2.0.0.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:07.100Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24627", "state": "PUBLISHED", "dateUpdated": "2026-04-28T14:45:39.766Z", "dateReserved": "2026-01-23T12:32:28.686Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-23T14:29:07.850Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Trusona Trusona for WordPress trusona allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Trusona for WordPress: from n/a through <= 2.0.0."}, {"lang": "es", "value": "Vulnerabilidad de Autorizaci\u00f3n Faltante en Trusona Trusona para WordPress trusona permite Explotar Niveles de Seguridad de Control de Acceso Incorrectamente Configurados. Este problema afecta a Trusona para WordPress: desde n/a hasta &lt;= 2.0.0."}], "id": "CVE-2026-24627", "lastModified": "2026-04-28T15:16:20.983", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-01-23T15:16:22.083", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/trusona/vulnerability/wordpress-trusona-for-wordpress-plugin-2-0-0-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-16T01:27:45.791963+00:00", "value": {"mitigation_remediation": ["Update Trusona to a version newer than 2.0.0, ensuring that all authorization checks are correctly enforced", "If an update is not possible, disable or uninstall the Trusona plugin to prevent exposure", "Add additional server-side checks to restrict plugin endpoints to users with administrator privileges, mitigating the risk of unauthorized use"], "summary": {"action": "Immediate patch", "impact": "Unauthorized access due to missing authorization controls"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all installations of Trusona for WordPress through version 2.0.0. No specific sub-versions are listed; any instance running any version up to and including 2.0.0 is considered vulnerable.", "description_and_impact": "Missing authorization controls in the Trusona for WordPress plugin enable unauthorized users to execute administrative actions within the plugin. The flaw arises from incorrectly configured access control security levels, potentially allowing attackers to manipulate data or privilege state associated with the plugin's functionality. The impact is confined to the plugin\u2019s scope rather than the host WordPress installation as a whole, but can still aid in further attacks if the plugin interfaces interact with core systems.", "risk_and_exploitability": "The CVSS score of 4.3 indicates a moderate risk level. The EPSS score of less than 1% suggests a low probability of exploit in the wild, and the vulnerability is not catalogued by CISA. It is likely that exploitation requires access to the plugin\u2019s web interfaces; users who can trigger the affected endpoints can bypass the intended access restrictions. A remote attacker could use the exposed functionality to elevate privileges within the plugin context. Because no exploit public code is listed, the risk remains limited but should still be remedied promptly."}}}}, "created": "2026-01-26T11:52:53.964360+00:00", "updated": "2026-04-16T01:30:20.316697+00:00", "vendors": ["trusona", "trusona$PRODUCT$trusona_for_wordpress", "wordpress", "wordpress$PRODUCT$wordpress"]}