CVE-2026-24588

Vulnerability

Overview The Smart Product Viewer WordPress plugin up to version 1.5.4 contains a Missing Authorization vulnerability. This flaw stems from incorrectly configured access control security levels, where certain functions lack proper authorization or nonce token checks [1]. This condition allows exploitation of broken access control paths, enabling unauthenticated users to potentially execute higher-privileged actions without proper authentication.

Exploitation

Method An attacker can exploit this vulnerability remotely without requiring authentication or user interaction. The attack surface is wide as the plugin is used across thousands of websites. The vulnerability is classified under broken access control (CAPEC-1), and its relatively low attack complexity positions it for mass-exploit campaigns targeting numerous WordPress installations simultaneously, regardless of site traffic or popularity [1].

Impact

Successful exploitation could allow an unprivileged attacker to perform actions normally reserved for higher-privileged users, such as accessing or modifying protected settings and data. While the CVSS v3 base score is 4.3 (Medium), the real-world impact is amplified by the plugin's wide deployment and the vulnerability's suitability for automated exploitation across large site networks [1].

Mitigation

Users are strongly advised to update the Smart Product Viewer plugin to a version newer than 1.5.4 as soon as possible. If immediate updating is not feasible, contacting the hosting provider or a web developer for assistance is recommended [1]. No workarounds or patches from alternative sources have been documented.