CVE-2026-24585

Vulnerability

Overview

The Hyyan WooCommerce Polylang Integration plugin (slug: woo-poly-integration) for WordPress is affected by a missing authorization vulnerability affecting all versions up to and including 1.5.0. The issue arises from incorrectly configured access control security levels, allowing unauthenticated attackers to exploit broken access control mechanisms [1].

Attack

Vector

To exploit this vulnerability, an attacker does not need any authentication or special privileges. The attack can be carried out over the network by sending crafted requests to the WordPress site. The plugin fails to properly verify user permissions before granting access to certain administrative actions, enabling privilege escalation [1].

Impact

A successful exploit allows an attacker to bypass access controls and perform actions reserved for higher-privileged users, such as administrators. This could include modifying site settings, injecting malicious content, or taking over the site entirely. The CVSS score is 6.5 (Medium), and vulnerabilities of this type are frequently used in mass-exploit campaigns targeting thousands of WordPress sites [1].

Mitigation

The vulnerability has been patched in version 1.5.1 of the plugin. Users are strongly urged to update immediately. If updating is not possible, administrators should consult their hosting provider or a web developer to implement additional access control measures or restrict plugin functionality until the update can be applied [1].