CVE-2026-24570

Vulnerability

Overview

The Edwiser Bridge WordPress plugin (versions up to and including 4.3.2) contains a missing authorization vulnerability. This is a broken access control issue where the plugin fails to properly enforce access restrictions, allowing unprivileged users to perform actions that should require higher privileges. The root cause is an incorrectly configured access control security level within the plugin's code [1].

Exploitation

An attacker does not need to be authenticated as an administrator to exploit this flaw. The vulnerability can be triggered by any user who can send requests to the WordPress site, potentially including unauthenticated visitors if the affected functions are exposed without proper nonce or capability checks. The attack surface is broad because the plugin is widely used in learning management integrations [1].

Impact

Successful exploitation allows an attacker to bypass intended access controls, potentially leading to unauthorized data access, modification of settings, or privilege escalation within the WordPress environment. While the severity is rated medium (CVSS 5.4), the vulnerability is considered low risk for exploitation in practice and unlikely to be exploited in mass campaigns [1].

Mitigation

The vendor has released version 4.3.3 which fixes the issue. Users are strongly advised to update to this version or enable auto-updates for vulnerable plugins. If immediate update is not possible, consulting with a hosting provider or web developer is recommended [1].