CVE-2026-24578

Vulnerability

Overview

The Admin login URL Change plugin for WordPress, versions 1.1.5 and earlier, contains a missing authorization vulnerability [1]. The plugin fails to properly verify access control security levels, allowing exploitation of incorrectly configured access control mechanisms. This broken access control issue means that functions which should require higher privileges lack proper authorization, authentication, or nonce token checks [1 checks [1].

Exploitation

Attackers can exploit this vulnerability without needing any prior authentication, as the missing authorization check allows unprivileged users to execute actions that should be restricted to higher-privileged roles [1]. The attack surface is broad because the plugin is widely used, and the vulnerability can be leveraged in mass-exploit campaigns targeting thousands of websites simultaneously, regardless of site size or popularity [1].

Impact

Successful exploitation enables an attacker to bypass access controls and perform actions that should require administrative privileges, such as modifying the login URL configuration [1]. This could lead to further compromise, including redirecting users to malicious sites or locking legitimate administrators out of the WordPress dashboard.

Mitigation

The vendor has not released a patched version, and users are strongly advised to update the plugin immediately if a fix becomes available [1] fix becomes available. As a workaround, users should contact their hosting provider or web developer for assistance in securing the site until a patch is applied [1]. The vulnerability is listed in the Patchstack database and is considered a medium-severity issue (CVSS 4.3) [1].