CVE-2026-24622

The Suggestion Toolkit plugin for WordPress, in versions up to and including 5.0, contains a missing authorization vulnerability. The root cause is a failure to properly enforce access control security levels, specifically missing authorization checks that could allow users with lower privileges to perform actions intended for higher-privileged users [1].

Exploitation of this vulnerability does not require authentication as a high-privilege user; an attacker needs only to be able to send crafted requests to the affected plugin. This type of broken access control can be leveraged in mass-exploit campaigns targeting thousands of websites simultaneously, regardless of site traffic or popularity [1].

The impact of successful exploitation is that an unprivileged user can execute certain higher-privileged actions, potentially leading to unauthorized data access or modification. The CVSS v3 base score of 5.4 (Medium) reflects this risk, though the discoverer notes that the CVSS score may not be ideal for WordPress-specific contexts [1].

As an immediate remediation step, users should update the Suggestion Toolkit plugin to a patched version if available. If updating is not possible, site owners are advised to contact their hosting provider or web developer for assistance [1].