{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28104", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-25T12:14:02.974Z", "datePublished": "2026-03-05T05:54:26.400Z", "dateUpdated": "2026-04-28T17:44:33.806Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "site-suggest", "product": "Site Suggest", "vendor": "Aryan Shirani Bid Abadi", "versions": [{"lessThanOrEqual": "1.3.9", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Legion Hunter | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-28T13:51:38.885Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Aryan Shirani Bid Abadi Site Suggest site-suggest allows Accessing Functionality Not Properly Constrained by ACLs.<p>This issue affects Site Suggest: from n/a through <= 1.3.9.</p>"}], "value": "Missing Authorization vulnerability in Aryan Shirani Bid Abadi Site Suggest site-suggest allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Site Suggest: from n/a through <= 1.3.9."}], "impacts": [{"capecId": "CAPEC-1", "descriptions": [{"lang": "en", "value": "Accessing Functionality Not Properly Constrained by ACLs"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:15:07.760Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/site-suggest/vulnerability/wordpress-site-suggest-plugin-1-3-9-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Site Suggest plugin <= 1.3.9 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-05T16:41:48.212290Z", "id": "CVE-2026-28104", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T17:44:33.806Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-28104", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-05T16:41:48.212290Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-05T16:43:25.292Z"}}], "cna": {"title": "WordPress Site Suggest plugin <= 1.3.9 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Legion Hunter | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-1", "descriptions": [{"lang": "en", "value": "Accessing Functionality Not Properly Constrained by ACLs"}]}], "affected": [{"vendor": "Aryan Shirani Bid Abadi", "product": "Site Suggest", "versions": [{"status": "affected", "version": "n/a", "versionType": "custom", "lessThanOrEqual": "<= 1.3.9"}], "packageName": "site-suggest", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-03-05T06:51:29.050Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/site-suggest/vulnerability/wordpress-site-suggest-plugin-1-3-9-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Aryan Shirani Bid Abadi Site Suggest site-suggest allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Site Suggest: from n/a through <= 1.3.9.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in Aryan Shirani Bid Abadi Site Suggest site-suggest allows Accessing Functionality Not Properly Constrained by ACLs.<p>This issue affects Site Suggest: from n/a through <= 1.3.9.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-05T05:54:26.400Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28104", "state": "PUBLISHED", "dateUpdated": "2026-03-05T16:43:59.332Z", "dateReserved": "2026-02-25T12:14:02.974Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-05T05:54:26.400Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Aryan Shirani Bid Abadi Site Suggest site-suggest allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Site Suggest: from n/a through <= 1.3.9."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en Aryan Shirani Bid Abadi Site Suggest site-suggest permite Acceder a Funcionalidad No Restringida Adecuadamente por ACLs. Este problema afecta a Site Suggest: desde n/a hasta &lt;= 1.3.9."}], "id": "CVE-2026-28104", "lastModified": "2026-04-22T21:27:27.950", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-05T06:16:44.913", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/site-suggest/vulnerability/wordpress-site-suggest-plugin-1-3-9-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.3.9]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Site Suggest", "source": "cna", "vendor": "Aryan Shirani Bid Abadi"}, "product": "site_suggest", "vendor": "aryan_shirani_bid_abadi"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T22:50:45.026901+00:00", "value": {"mitigation_remediation": ["Install the latest stable release of Site\u202fSuggest (any version >\u202f1.3.9) to remove the broken access control logic.", "After the upgrade, verify that the plugin\u2019s administrative URLs are accessible only to users with administrator roles by checking the role\u2011based permission settings in WordPress.", "If an upgrade cannot be performed immediately, block non\u2011admin users from the plugin\u2019s administrative endpoints by adding WordPress role checks or an .htaccess rule that restricts those URLs."], "summary": {"action": "Apply Patch", "impact": "Broken Access Control allowing unauthorized access to plugin functionality"}, "threat_synthesis": {"affected_systems": "The plugin is distributed by Aryan Shirani Bid Abadi as Site\u202fSuggest. All releases up to and including 1.3.9 contain the vulnerability; any WordPress site using the plugin at a version <=\u202f1.3.9 is susceptible.", "description_and_impact": "Missing authorization in the Site\u202fSuggest WordPress plugin permits unauthenticated or insufficiently privileged users to invoke protected actions, potentially exposing site data or enabling configuration changes. The flaw is a classic broken access control (CWE\u2011862) and could allow attackers to elevate privileges or manipulate content.", "risk_and_exploitability": "The CVSS v3.1 score of 6.5 indicates moderate severity, while the EPSS figure of less than 1% points to a low probability of exploitation. The vulnerability has not been recorded in CISA\u2019s KEV catalog, suggesting no publicly known exploits. Attackers would likely target the plugin\u2019s admin endpoints via the web interface, exploiting the absence of role checks. Mitigation hinges on removing the vulnerable code by upgrading the plugin and ensuring that only administrator\u2011level users can access its administrative interfaces."}}}}, "created": "2026-03-06T15:08:32.574258+00:00", "updated": "2026-04-15T23:00:10.449596+00:00", "vendors": ["aryan_shirani_bid_abadi", "aryan_shirani_bid_abadi$PRODUCT$site_suggest", "wordpress", "wordpress$PRODUCT$wordpress"]}