CVE-2026-24534

The Booter plugin for WordPress (versions up to and including 1.5.7) contains a missing authorization vulnerability. The issue stems from a broken access control mechanism, where the plugin fails to properly check user permissions or nonce tokens before executing certain higher-privileged actions. This allows unprivileged users to exploit incorrectly configured access control security levels [1].

Exploitation requires no authentication bypass beyond the missing check; an attacker who can reach the vulnerable function can trigger it without needing elevated privileges. The attack surface is the WordPress admin interface or any endpoint that invokes the affected functionality [1].

An attacker exploiting this vulnerability can perform actions intended for higher-privileged users, potentially leading to unauthorized configuration changes or data exposure. The impact is limited to the scope of the missing authorization, but the vulnerability is known to be used in mass-exploit campaigns targeting thousands of websites [1].

The vendor has released version 1.5.8 to address the issue. Users are advised to update immediately advised to update to this version or enable auto-updates for vulnerable plugins. If updating is not possible, contacting a hosting provider or web developer for assistance is recommended [1].