CVE-2026-24997

The Wired Impact Volunteer Management plugin for WordPress versions up to and including 2.8 contains a broken access control vulnerability due to missing authorization checks. This issue stems from incorrectly configured access control security levels, allowing exploitation of missing authorization in certain plugin functions [1].

To exploit this vulnerability, an attacker does not need elevated privileges; unauthenticated or low-privileged users can leverage the missing authorization checks to perform actions that should require higher-level permissions. The attack vector is network-based, requiring no special access or user interaction beyond sending crafted requests to the affected WordPress site [1].

The impact of successful exploitation includes unauthorized access to plugin functionality, potentially leading to privilege escalation or data manipulation. While the CVSS score of 5.3 indicates medium severity, the vulnerability is noted to be part of mass-exploit campaigns targeting thousands of sites, regardless of their size or popularity [1].

Mitigation is available by updating the plugin to version 2.8.1 or later, which addresses the missing authorization. Users are advised to immediately apply the patch or enable auto-updates if using Patchstack. For those unable to update, consulting the hosting provider or developer is recommended [1].