{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24999", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-28T09:50:57.103Z", "datePublished": "2026-02-19T08:26:51.141Z", "dateUpdated": "2026-04-28T16:14:52.851Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "alma-gateway-for-woocommerce", "product": "Alma", "vendor": "Alma", "versions": [{"changes": [{"at": "5.16.2", "status": "unaffected"}], "lessThanOrEqual": "5.16.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Md. Moniruzzaman Prodhan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:05:02.176Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Alma Alma alma-gateway-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Alma: from n/a through <= 5.16.1.</p>"}], "value": "Missing Authorization vulnerability in Alma Alma alma-gateway-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Alma: from n/a through <= 5.16.1."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:52.851Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/alma-gateway-for-woocommerce/vulnerability/wordpress-alma-plugin-5-16-1-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Alma plugin <= 5.16.1 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-19T21:14:31.973245Z", "id": "CVE-2026-24999", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T15:42:40.534Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24999", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-19T21:14:31.973245Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T21:13:10.469Z"}}], "cna": {"title": "WordPress Alma plugin <= 5.16.1 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Md. Moniruzzaman Prodhan | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Alma", "product": "Alma", "versions": [{"status": "affected", "changes": [{"at": "5.16.2", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "5.16.1"}], "packageName": "alma-gateway-for-woocommerce", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-28T13:26:34.086Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/alma-gateway-for-woocommerce/vulnerability/wordpress-alma-plugin-5-16-1-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Alma Alma alma-gateway-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Alma: from n/a through <= 5.16.1.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in Alma Alma alma-gateway-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Alma: from n/a through <= 5.16.1.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T12:10:48.187Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24999", "state": "PUBLISHED", "dateUpdated": "2026-04-28T15:42:40.534Z", "dateReserved": "2026-01-28T09:50:57.103Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-19T08:26:51.141Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Alma Alma alma-gateway-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Alma: from n/a through <= 5.16.1."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en Alma Alma alma-gateway-for-woocommerce permite explotar niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a Alma: desde n/a hasta &lt;= 5.16.1."}], "id": "CVE-2026-24999", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-19T09:16:13.783", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/alma-gateway-for-woocommerce/vulnerability/wordpress-alma-plugin-5-16-1-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.16.1]"}}], "enrichment": {"confidence": 86.0, "confidence_source": "matching", "scores": [{"score": 86.0, "source": "matching"}]}, "original": {"product": "Alma", "source": "cna", "vendor": "Alma"}, "product": "alma", "vendor": "almapay"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T00:36:29.108852+00:00", "value": {"mitigation_remediation": ["Upgrade the Alma plugin to any version newer than 5.16.1.", "Reconfigure WordPress user roles to ensure that only administrators or explicitly authorized accounts can access the Alma gateway endpoints.", "If an immediate upgrade is not possible, temporarily disable the plugin or restrict its network exposure until a patched version is available."], "summary": {"action": "Patch Now", "impact": "Authorization Bypass - Broken Access Control"}, "threat_synthesis": {"affected_systems": "WordPress sites running the Alma \"alma-gateway-for-woocommerce\" plugin version 5.16.1 or earlier are affected. The vendor is Alma.", "description_and_impact": "The Alma plugin for WordPress contains a missing authorization flaw that permits exploitation of incorrectly configured access control security levels. An attacker who can interact with the plugin\u2019s endpoints may gain unauthorized access to privileged actions or data, thereby compromising the integrity and confidentiality of the site. The weakness is classified as CWE\u2011862, indicating that role or privilege checks are insufficient.", "risk_and_exploitability": "The CVSS score of 5.3 reflects a moderate severity, while the EPSS score of less than 1% suggests that exploitation is unlikely in the wild. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves an authenticated or unauthenticated user exploiting exposed administrative endpoints, as the lack of proper authorization allows privilege escalation or disclosure of sensitive data. No additional requirements beyond interacting with the plugin\u2019s interfaces are identified in the description."}}}}, "created": "2026-02-20T10:11:12.017405+00:00", "updated": "2026-04-16T00:45:15.965669+00:00", "vendors": ["almapay", "almapay$PRODUCT$alma", "wordpress", "wordpress$PRODUCT$wordpress"]}