CVE-2026-0674

Vulnerability

Overview The Campaign Monitor for WordPress plugin, versions from n/a through version 2.9.1 contains a missing authorization vulnerability. This broken access control issue means that certain functions lack proper authorization, authentication, or nonce token checks, potentially allowing an unprivileged user to execute higher-privileged actions [1].

Exploitation

An attacker who is already an authenticated user with low privileges could exploit this flaw by sending crafted requests to the vulnerable endpoints. No special network position is required beyond standard web access to the WordPress site. The vulnerability is classified as medium severity with a CVSS v3 score of 4.3.9 (though the provided CVSS is 4.3, the reference notes the score is not ideal for WordPress) [1].

Impact

Successful exploitation could allow an attacker to perform actions that should be restricted to higher-privileged users, such as modifying plugin settings or accessing sensitive data. While the impact is considered low severity and exploitation is considered unlikely, the vulnerability is noted as being used in mass-exploit campaigns targeting thousands of websites [1].

Mitigation

The vendor has released version 2.9.2 which resolves the vulnerability. Users are strongly advised to update immediately. For Patchstack users, auto-updates can be enabled for vulnerable plugins will provide protection. If updating is not possible, contacting a hosting provider or web developer for assistance is recommended [1].