CVE-2026-28071

Vulnerability

Overview

The pixfort Core plugin for WordPress versions 3.2.22 and earlier contains a missing authorization vulnerability. This issue, classified as a broken access control flaw, stems from the failure to properly verify user permissions before allowing certain actions [1]. The plugin fails to implement adequate access control checks, leaving administrative capabilities exposed to users who should not have them [1].

Attack

Vector

An attacker with minimal privileges—such as a subscriber-level account—can exploit this missing authorization to execute functions intended for higher-privileged roles [1]. The vulnerability requires no special network position; as the plugin runs on the WordPress site, any authenticated user can attempt to trigger the unauthorized actions [1]. This type of flaw is particularly dangerous because it enables mass exploitation campaigns targeting thousands of websites simultaneously [1].

Impact

Successful exploitation allows an unprivileged user to perform actions traditionally restricted to administrators or editors. Depending on the unprotected functions, the attacker could modify site settings, inject malicious content, or even escalate their privileges to full administrative control [1]. The moderate CVSS score of 6.3 reflects the potential for significant impact without requiring complex attack conditions [1].

Mitigation

The vendor has released patched version 3.2.26, which addresses the missing authorization checks [1]. Users are strongly advised to update immediately to eliminate the risk. For those unable to update, hosting providers or web developers should be consulted for temporary mitigation measures. Patchstack also offers a virtual mitigation rule to block exploitation attempts until the plugin can be updated [1].