CVE-2026-24996

The WPElemento Importer plugin for WordPress versions 0.6.4 and earlier suffers from a missing authorization vulnerability. The plugin fails to enforce proper access control checks on certain functions, allowing users without the required privileges to execute actions that should be restricted to higher-level roles. This is a classic broken access control issue, as described in the Patchstack advisory [1].

Exploitation can be carried out by an attacker who already has a low-privileged account on the WordPress site, such as a subscriber or contributor. By sending crafted requests to the vulnerable endpoints, the attacker can trigger operations intended for administrators, such as importing data or modifying site settings. No special network access is needed beyond being able to reach the WordPress admin area [1].

Successful exploitation could lead to unauthorized data manipulation, including the import of malicious content or configuration changes. Although the vulnerability is rated Medium (CVSS 4.3), the advisory notes that it is considered low severity and unlikely to be exploited in mass campaigns. Nonetheless, it poses a risk for targeted privilege escalation attacks on affected sites [1].

The vulnerability has been patched in version 0.6.5 of the plugin. Users are strongly advised to update immediately. If updating is not possible, consider disabling the plugin or implementing additional access control measures. Patchstack users can enable auto-updates for vulnerable plugins to stay protected [1].