CVE-2026-24532

Vulnerability

Overview The vulnerability is a missing authorization (broken access control) in the SiteLock Security – WP Hardening, Login Security & Malware Scans plugin for WordPress, affecting versions from n/a through 5.0.2. The issue stems from the plugin's failure to properly verify user permissions before allowing access to certain administrative functions, meaning functions that should require higher privileges are accessible without proper checks [1].

Exploitation and

Attack Vector An attacker can exploit this vulnerability without needing any special authentication or with minimal privileges, depending on the specific missing check. The attack surface is the WordPress admin panel where the plugin's features operate. The vulnerability is classified as a broken access control issue, and its CVSS v3 score of 4.3 (Medium) indicates it can be exploited remotely with low attack complexity, though it requires some user interaction or special conditions [1].

Impact

Successful exploitation allows an unprivileged user to carry out actions that should be restricted, such as altering plugin settings, accessing sensitive data, or performing security-related operations without proper authorization. This could lead to a partial compromise of the site's security posture, though the impact is limited to the plugin's own functionality [1].

Mitigation

The vulnerability has been patched in version 5.0.3 of the plugin. Users are strongly advised to update immediately. For those who cannot update, it is recommended to contact their hosting provider or web developer for assistance. The advisory notes that this type of vulnerability is sometimes used in mass-exploit campaigns, making timely patching critical [1].