{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24997", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-28T09:50:57.102Z", "datePublished": "2026-02-03T14:08:37.755Z", "dateUpdated": "2026-04-28T16:14:53.263Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "wired-impact-volunteer-management", "product": "Wired Impact Volunteer Management", "vendor": "Wired Impact", "versions": [{"changes": [{"at": "2.8.1", "status": "unaffected"}], "lessThanOrEqual": "2.8", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "hhhai | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:05:02.008Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Wired Impact Wired Impact Volunteer Management wired-impact-volunteer-management allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Wired Impact Volunteer Management: from n/a through <= 2.8.</p>"}], "value": "Missing Authorization vulnerability in Wired Impact Wired Impact Volunteer Management wired-impact-volunteer-management allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Wired Impact Volunteer Management: from n/a through <= 2.8."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:53.263Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/wired-impact-volunteer-management/vulnerability/wordpress-wired-impact-volunteer-management-plugin-2-8-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Wired Impact Volunteer Management plugin <= 2.8 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-03T16:20:14.470848Z", "id": "CVE-2026-24997", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T15:42:23.433Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24997", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-03T16:20:14.470848Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-03T16:20:04.817Z"}}], "cna": {"title": "WordPress Wired Impact Volunteer Management plugin <= 2.8 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "hhhai | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Wired Impact", "product": "Wired Impact Volunteer Management", "versions": [{"status": "affected", "changes": [{"at": "2.8.1", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "2.8"}], "packageName": "wired-impact-volunteer-management", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-28T13:26:33.647Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/wired-impact-volunteer-management/vulnerability/wordpress-wired-impact-volunteer-management-plugin-2-8-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Wired Impact Wired Impact Volunteer Management wired-impact-volunteer-management allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Wired Impact Volunteer Management: from n/a through <= 2.8.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in Wired Impact Wired Impact Volunteer Management wired-impact-volunteer-management allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Wired Impact Volunteer Management: from n/a through <= 2.8.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T12:10:48.046Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24997", "state": "PUBLISHED", "dateUpdated": "2026-04-28T15:42:23.433Z", "dateReserved": "2026-01-28T09:50:57.102Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-03T14:08:37.755Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Wired Impact Wired Impact Volunteer Management wired-impact-volunteer-management allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Wired Impact Volunteer Management: from n/a through <= 2.8."}, {"lang": "es", "value": "Vulnerabilidad de Autorizaci\u00f3n faltante en Wired Impact Wired Impact Volunteer Management wired-impact-volunteer-management permite Explotar Niveles de Seguridad de Control de Acceso Mal Configurados. Este problema afecta a Wired Impact Volunteer Management: desde n/a hasta &lt;= 2.8."}], "id": "CVE-2026-24997", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-03T15:16:18.910", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/wired-impact-volunteer-management/vulnerability/wordpress-wired-impact-volunteer-management-plugin-2-8-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-16T07:02:03.354191+00:00", "value": {"mitigation_remediation": ["Upgrade the Wired Impact Volunteer Management plugin to the latest supported version, which removes the authorization flaw.", "Restrict access to the plugin\u2019s administrative interface by configuring WordPress role permissions to limit which user roles can access volunteer management features.", "Audit current user roles for volunteer management permissions and remove any unnecessary privileges to enforce the principle of least privilege."], "summary": {"action": "Apply patch", "impact": "Broken Access Control"}, "threat_synthesis": {"affected_systems": "WordPress sites running the Wired Impact Volunteer Management plugin version 2.8 or earlier are affected. No other vendors or products are listed for this issue. Site administrators should verify whether the plugin is installed and whether its version is at or below 2.8.", "description_and_impact": "This vulnerability allows an attacker to bypass authorization controls in the Wired Impact Volunteer Management plugin for WordPress, enabling the exploitation of incorrectly configured access levels. The missing authorization flaw (CWE-862) permits unauthorized users to perform administrative actions or retrieve sensitive volunteer data, effectively elevating their privileges within the plugin\u2019s scope. The impact is the potential exposure of personal information or unauthorized modification of volunteer records.", "risk_and_exploitability": "The CVSS score of 5.3 marks this flaw as a medium severity vulnerability, while the EPSS score of less than 1% indicates a very low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is through the WordPress admin interface or any user input that triggers the plugin\u2019s privileged functions. Exploitation requires an attacker to reach the plugin\u2019s protected endpoints, which typically means either possessing remote access to the site or having an account with sufficient role privileges to invoke the plugin\u2019s operations."}}}}, "created": "2026-02-04T12:09:46.782395+00:00", "updated": "2026-04-16T07:15:28.167270+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}