Skip to main content

Advanced Access Manager EUVDEUVD-2026-33689

| CVE-2026-42674 HIGH
Authentication Bypass by Spoofing (CWE-290)
2026-06-01 Patchstack GHSA-7jmm-rc72-mcgf
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 01, 2026 - 17:18 vuln.today

DescriptionCVE.org

Authentication Bypass by Spoofing vulnerability in AAM Plugin Advanced Access Manager allows URL Encoding.

This issue affects Advanced Access Manager: from n/a through 7.1.0.

AnalysisAI

Authentication bypass in the Advanced Access Manager (AAM) WordPress plugin through version 7.1.0 allows remote unauthenticated attackers to circumvent access controls via URL encoding manipulation, achieving high integrity impact on protected resources. The flaw is reported by Patchstack and tracked under CWE-290 (Authentication Bypass by Spoofing). No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Technical ContextAI

Advanced Access Manager is a widely deployed WordPress plugin that adds granular access control, role management, and URL/endpoint restrictions on top of WordPress's native capability system. The vulnerability is rooted in CWE-290 (Authentication Bypass by Spoofing), specifically through URL encoding handling - meaning the plugin's URL-matching or normalization logic likely compares encoded versus decoded request paths inconsistently, allowing a crafted percent-encoded URL to slip past access rules that would otherwise block the canonical path. The affected CPE (cpe:2.3:a:aam_plugin:advanced_access_manager) covers all versions up to and including 7.1.0.

RemediationAI

Patch available per vendor advisory - upgrade Advanced Access Manager to the first fixed version published after 7.1.0 as listed in the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/advanced-access-manager/vulnerability/wordpress-advanced-access-manager-plugin-7-1-0-bypass-vulnerability-vulnerability); the exact patched release number is not included in the provided data and should be confirmed from the plugin's WordPress.org changelog before deployment. If immediate upgrade is not possible, compensating controls include placing the site behind a WAF (Patchstack, Wordfence, or Cloudflare WordPress ruleset) with virtual patching enabled for this CVE, deactivating the AAM plugin and falling back to native WordPress roles (trade-off: loses granular URL-level restrictions), or restricting access to AAM-protected admin URLs at the web-server level (nginx/Apache location blocks) using IP allow-listing - noting that server-level rules must themselves normalize URL encoding to avoid the same bypass class.

Share

EUVD-2026-33689 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy