Skip to main content

Wpvulnerability EUVDEUVD-2026-15571

| CVE-2026-24376 MEDIUM
Missing Authorization (CWE-862)
2026-03-25 Patchstack GHSA-8h47-9x4c-74fv
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15571
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
MEDIUM 6.5

DescriptionCVE.org

Missing Authorization vulnerability in Javier Casares WPVulnerability wpvulnerability allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPVulnerability: from n/a through <= 4.2.1.

AnalysisAI

WPVulnerability plugin through version 4.2.1 contains an authorization bypass that allows authenticated users to modify data they should not have access to due to improperly enforced access controls. An attacker with valid login credentials can escalate privileges to perform unauthorized modifications within the plugin's protected functions. No patch is currently available for this vulnerability.

Technical ContextAI

The WPVulnerability plugin (CPE: cpe:2.3:a:javier_casares:wpvulnerability:*:*:*:*:*:*:*:*) is a WordPress plugin developed by Javier Casares that appears designed for security testing or vulnerability demonstration purposes. The root cause is classified under CWE-862 (Missing Authorization), which represents a fundamental failure to enforce proper access control checks before allowing users to perform privileged operations or access sensitive resources. This typically manifests in WordPress plugins when capability checks (using functions like current_user_can()) are either absent, improperly implemented, or bypassed through incorrect conditional logic, allowing low-privileged users or unauthenticated visitors to execute administrator-level actions or access restricted content.

RemediationAI

Immediately upgrade the WPVulnerability plugin to the latest available version beyond 4.2.1 (exact patch version to be confirmed with Javier Casares or Patchstack). Review the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wpvulnerability/vulnerability/wordpress-wpvulnerability-plugin-4-2-1-broken-access-control-vulnerability for specific patch details and changelog. As a temporary measure prior to upgrading, disable the WPVulnerability plugin entirely if it is not actively required for legitimate security testing purposes, restrict access to its administrative pages via Web Application Firewall (WAF) rules or .htaccess, and audit WordPress user roles and capabilities to ensure only intended users have elevated permissions. Review WordPress access logs for evidence of unauthorized access or privilege escalation attempts.

Share

EUVD-2026-15571 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy