{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25386", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:53:07.231Z", "datePublished": "2026-02-19T08:27:01.724Z", "dateUpdated": "2026-04-28T16:14:57.369Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "pojo-accessibility", "product": "Ally", "vendor": "Elementor", "versions": [{"changes": [{"at": "4.0.3", "status": "unaffected"}], "lessThanOrEqual": "4.0.2", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nguyen Ba Khanh | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:05:06.020Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Elementor Ally pojo-accessibility allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Ally: from n/a through <= 4.0.2.</p>"}], "value": "Missing Authorization vulnerability in Elementor Ally pojo-accessibility allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ally: from n/a through <= 4.0.2."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:57.369Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/pojo-accessibility/vulnerability/wordpress-ally-plugin-4-0-2-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Ally plugin <= 4.0.2 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-19T19:28:35.014840Z", "id": "CVE-2026-25386", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T13:10:44.046Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25386", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:53:07.231Z", "datePublished": "2026-02-19T08:27:01.724Z", "dateUpdated": "2026-04-28T13:10:44.046Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "pojo-accessibility", "product": "Ally", "vendor": "Elementor", "versions": [{"changes": [{"at": "4.0.3", "status": "unaffected"}], "lessThanOrEqual": "4.0.2", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nguyen Ba Khanh | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-28T13:26:45.976Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Elementor Ally pojo-accessibility allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Ally: from n/a through <= 4.0.2.</p>"}], "value": "Missing Authorization vulnerability in Elementor Ally pojo-accessibility allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ally: from n/a through <= 4.0.2."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T12:10:49.670Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/pojo-accessibility/vulnerability/wordpress-ally-plugin-4-0-2-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Ally plugin <= 4.0.2 - Broken Access Control vulnerability"}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25386", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-19T19:28:35.014840Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T19:27:44.216Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Elementor Ally pojo-accessibility allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ally: from n/a through <= 4.0.2."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en Elementor Ally pojo-accessibility permite explotar niveles de seguridad de control de acceso mal configurados. Este problema afecta a Ally: desde n/a hasta &lt;= 4.0.2."}], "id": "CVE-2026-25386", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-19T09:16:20.677", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/pojo-accessibility/vulnerability/wordpress-ally-plugin-4-0-2-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.0.2]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[4.0.3,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Ally", "source": "cna", "vendor": "Elementor"}, "product": "ally", "vendor": "elementor"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T06:32:26.870644+00:00", "value": {"mitigation_remediation": ["Upgrade the Ally plugin to version 4.0.3 or later.", "If an upgrade is not immediately possible, temporarily disable the plugin to eliminate the attack surface.", "Verify that role\u2011based access controls in WordPress are correctly configured to restrict plugin functionality to authorized users only."], "summary": {"action": "Update Plugin", "impact": "Unauthorized Access via Broken Access Control"}, "threat_synthesis": {"affected_systems": "Ally plugin from Elementor, affecting all installations running version 4.0.2 or earlier. The vulnerability applies to every deployment of the plugin up to and including 4.0.2, regardless of other WordPress configuration.", "description_and_impact": "Missing authorization in the Ally plugin allows attackers to bypass configured access control levels, exposing privileged actions to unauthorized users. The flaw is a classic Broken Access Control weakness (CWE-862). An attacker who can reach the plugin\u2019s endpoints can perform actions intended only for higher\u2011privileged roles, potentially reading or modifying sensitive data or configurations within the WordPress site.", "risk_and_exploitability": "With a CVSS score of 5.3 the issue is considered medium severity. The EPSS score of less than 1% indicates a very low exploitation probability at present, and the vulnerability is not listed in CISA\u2019s KEV catalog. The likely attack vector is remote web\u2011application access, inferred from the description that exploitation would require access to the WordPress site\u2019s API or the ability to submit crafted requests to the plugin. If an attacker can execute the plugin\u2019s endpoints, the broken access control could be leveraged to elevate privileges within the site."}}}}, "created": "2026-02-20T10:08:37.840004+00:00", "updated": "2026-04-16T06:45:16.306781+00:00", "vendors": ["elementor", "elementor$PRODUCT$ally", "wordpress", "wordpress$PRODUCT$wordpress"]}