CVE-2026-24571

Vulnerability

Overview

The BOX NOW Delivery WordPress plugin versions up to and earlier contain a missing authorization vulnerability. The plugin fails to properly enforce access control checks on certain functions, allowing an attacker to exploit incorrectly configured security levels. This broken access control issue means that unauthenticated or low-privileged users can perform actions that should require higher privileges [1].

Exploitation

Attackers can exploit this vulnerability without needing no authentication or special network position. The missing authorization check means that any request to the vulnerable endpoint is processed without verifying the user's permissions. This type of flaw is commonly used in mass-exploit campaigns targeting thousands of WordPress sites simultaneously [1].

Impact

Successful exploitation allows an attacker to execute higher-privileged actions, potentially leading to unauthorized data access or modification. The CVSS v3 base score is 4.3 (Medium), indicating a moderate severity. The vulnerability is considered low impact and unlikely to be exploited in targeted attacks, but the ease of exploitation makes it attractive for automated scanning [1].

Mitigation

The vendor has released version 3.2.0 which resolves the issue. Users are strongly advised to update immediately. Patchstack users can enable auto-updates for vulnerable plugins. If updating is the only reliable mitigation [1].