CVE-2026-24543

Vulnerability

Overview CVE-2026-24543 is a missing authorization vulnerability in the WordPress plugin Materialis Companion, affecting versions from n/a through 1.3.52. The issue arises from incorrectly configured access control checks, meaning the plugin fails to properly verify user permissions before granting access to certain functions or data.[1]

Exploitation

An attacker can exploit this vulnerability without needing authentication or complex prerequisites. By sending specially crafted requests to the vulnerable endpoint, an unprivileged user (or even an unauthenticated user) can trigger actions intended for higher-privileged roles such as administrators. This type of vulnerability is commonly targeted in automated mass-exploit campaigns against multiple WordPress sites simultaneously.[1]

Impact

Successful exploitation can lead to unauthorized access to sensitive functionality, potentially allowing the attacker to modify plugin settings, inject malicious content, or perform other actions that compromise the site's integrity or confidentiality. The CVSS score of 4.3 (Medium) reflects the moderate direct impact, but the ease of exploitation amplifies its risk in real-world scenarios.

Mitigation

The vendor has released version 1.3.53 which resolves the vulnerability. Users are strongly advised to update the plugin immediately. For Patchstack users, enabling auto-updates for vulnerable plugins can help maintain security. If updating is not possible, contacting a hosting provider or web developer for assistance is recommended.[1]