CVE-2026-24636
Description
Missing Authorization vulnerability in Syed Balkhi Sugar Calendar (Lite) sugar-calendar-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sugar Calendar (Lite): from n/a through <= 3.9.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Missing authorization in Sugar Calendar (Lite) WordPress plugin up to 3.9.1 allows attackers to bypass access controls and perform unauthorized actions.
The vulnerability is a missing authorization issue in the Sugar Calendar (Lite) plugin for WordPress, versions up to 3.9.1. The plugin fails to properly enforce access control checks on certain functions, allowing exploitation by attackers. This is classified as a broken access control vulnerability due to missing authorization, authentication, or nonce token checks [1].
Attackers can exploit this by sending specially crafted requests to the plugin without needing higher privileges. The vulnerability is used in mass-exploit campaigns targeting thousands of websites, indicating that it is easily exploitable over the network [1].
Successful exploitation could allow an attacker to execute actions that should be restricted to higher-privileged users, leading to potential data exposure or modification.
The vulnerability has been addressed in version 3.10.0 of the plugin. Users are advised to update immediately or enable auto-updates if available [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <= 3.9.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.