CVE-2026-24569

Vulnerability

Overview

The WordPress Media Library File Size plugin versions up to and including 1.6.7 suffer from a missing authorization vulnerability [1]. This flaw stems from incorrectly configured access control security levels, meaning certain functions or endpoints do not properly verify user privileges before allowing execution.

Exploitation

Path

Attackers can exploit this vulnerability without needing high-privilege access, as the broken access control allows unprivileged users to perform actions normally reserved for higher-privileged roles [1]. The vulnerability is accessible over the network and requires low attack complexity, though it may require some user interaction or specific conditions.

Impact

Successful exploitation could enable an attacker to bypass intended access restrictions, potentially leading to unauthorized data exposure, modification, or other administrative actions within the WordPress installation [1]. The CVSS v3 base score is 4.3 (Medium), indicating a moderate severity with limited confidentiality or integrity impact.

Mitigation

The vulnerability has been patched in version 1.6.8 [1]. Users are strongly advised to update immediately. If updating is not possible, configuring additional access controls or contacting a hosting provider for assistance is recommended [1]. This vulnerability is noted as potentially used in mass-exploit campaigns, emphasizing the need for prompt remediation.