CVE-2026-24633

The Add Expires Headers & Optimized Minify plugin for WordPress versions up to and including 3.2.0 contains a missing authorization vulnerability. This broken access control issue stems from incorrectly configured access control security levels, allowing unprivileged users to execute higher-privileged actions [1].

Exploitation requires no authentication or special privileges, as the vulnerability lies in the plugin's failure to properly verify user capabilities before granting access to sensitive functions. Attackers can leverage this to perform actions intended only for administrators, such as modifying plugin settings or accessing protected data [1].

The impact is limited to unauthorized access to plugin functionality, potentially leading to configuration changes or information disclosure. The vulnerability has a CVSS v3 score of 5.3 (Medium)3 (Medium) and is considered low severity by the vendor, though it may be used in mass-exploit campaigns targeting thousands of sites [1].

The issue is resolved in version 3.3.0. Users are strongly advised to update immediately. Patchstack users can enable auto-updates for vulnerable plugins. If updating is not possible, consult a hosting provider or web developer for assistance [1].