CVE-2026-24982

Vulnerability

Overview CVE-2026-24982 is a missing authorization vulnerability in the Brainstorm Force Spectra plugin (formerly Ultimate Addons for Gutenberg) for WordPress. The issue stems from incorrectly configured access control security levels, allowing an attacker to exploit broken access control mechanisms. This affects all versions from n/a through 2.19.17 [1].

Exploitation

Details The vulnerability is classified as a broken access control issue, meaning there is a missing authorization, authentication, or nonce token check in a function. This could allow an unprivileged user to execute a higher-privileged action without proper authentication. The attack surface is broad, as the plugin is widely used, and the vulnerability can be exploited remotely without any special network position or user interaction [1].

Impact

An attacker exploiting this vulnerability can bypass access controls, potentially gaining unauthorized access to sensitive functionality or data. The CVSS v3 base score is 5.3 (Medium), indicating a moderate severity. However, the vulnerability is noted to be used in mass-exploit campaigns, targeting thousands of thousands of websites, regardless of traffic size or popularity [1].

Mitigation

The vendor has released version 2.19.18 which resolves the issue. Users are strongly advised to update immediately. If unable to update, users should contact their hosting provider or web developer for assistance. Patchstack users can enable auto-update for vulnerable plugins [1].