Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
1DescriptionCVE.org
Authentication Bypass by Spoofing vulnerability in AAM Plugin Advanced Access Manager allows URL Encoding.
This issue affects Advanced Access Manager: from n/a through 7.1.0.
AnalysisAI
Authentication bypass in the Advanced Access Manager (AAM) WordPress plugin through version 7.1.0 allows remote unauthenticated attackers to circumvent access controls via URL encoding manipulation, achieving high integrity impact on protected resources. The flaw is reported by Patchstack and tracked under CWE-290 (Authentication Bypass by Spoofing). No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Technical ContextAI
Advanced Access Manager is a widely deployed WordPress plugin that adds granular access control, role management, and URL/endpoint restrictions on top of WordPress's native capability system. The vulnerability is rooted in CWE-290 (Authentication Bypass by Spoofing), specifically through URL encoding handling - meaning the plugin's URL-matching or normalization logic likely compares encoded versus decoded request paths inconsistently, allowing a crafted percent-encoded URL to slip past access rules that would otherwise block the canonical path. The affected CPE (cpe:2.3:a:aam_plugin:advanced_access_manager) covers all versions up to and including 7.1.0.
RemediationAI
Patch available per vendor advisory - upgrade Advanced Access Manager to the first fixed version published after 7.1.0 as listed in the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/advanced-access-manager/vulnerability/wordpress-advanced-access-manager-plugin-7-1-0-bypass-vulnerability-vulnerability); the exact patched release number is not included in the provided data and should be confirmed from the plugin's WordPress.org changelog before deployment. If immediate upgrade is not possible, compensating controls include placing the site behind a WAF (Patchstack, Wordfence, or Cloudflare WordPress ruleset) with virtual patching enabled for this CVE, deactivating the AAM plugin and falling back to native WordPress roles (trade-off: loses granular URL-level restrictions), or restricting access to AAM-protected admin URLs at the web-server level (nginx/Apache location blocks) using IP allow-listing - noting that server-level rules must themselves normalize URL encoding to avoid the same bypass class.
More in Advanced Access Manager
View allThe Advanced Access Manager WordPress plugin before 6.8.0 does not escape some of its settings when outputting them, all
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AAM Advanced Acces
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AAM Advanced Acces
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AAM Advanced Acces
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in AAM Advanced Access Manager - Restricted Content, U
Same weakness CWE-290 – Authentication Bypass by Spoofing
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33689
GHSA-7jmm-rc72-mcgf