CVE-2026-24556

Vulnerability

Description The ElementCamp plugin for WordPress versions up to and including 2.3.2 suffers from a missing authorization vulnerability [1]. This broken access control issue means that the plugin fails to properly check user permissions or nonce tokens in certain functions, allowing lower-privileged users to execute actions intended for higher-privileged roles.

Exploitation

Exploitation does not require authentication as an administrator; an unprivileged user, such as a subscriber, can exploit this flaw. The attack surface is the web interface, and no special network position is needed beyond being a registered user of the WordPress site. This vulnerability is commonly used in mass-exploit campaigns targeting thousands of websites [1].

Impact

Successful exploitation allows an attacker to perform actions that should be restricted to higher-privileged users, such as modifying site settings or content, depending on the specific function lacking authorization. The CVSS v3 base score is 5.3 (Medium), reflecting the moderate impact and low complexity of exploitation [1].

Mitigation

The vendor has released version 2.3.6 which patches the vulnerability. Users are strongly advised to update immediately. For those unable to update, contacting a hosting provider or web developer for assistance is recommended [1].