CVE-2026-28104

Vulnerability

Overview

The Site Suggest plugin for WordPress, versions up to and including 1.3.9, contains a missing authorization vulnerability. This is a broken access control issue where the plugin fails to properly enforce access control lists (ACLs) on certain functions, allowing unprivileged users to access functionality that should be restricted to higher-privileged roles [1].

Exploitation

Details

An attacker can exploit this vulnerability without needing any authentication, as the missing authorization check means no valid nonce token or capability verification is performed. The attack surface is broad because the plugin is widely used, and the vulnerability can be triggered remotely accessible via HTTP requests. No special network position is required; any unauthenticated visitor to a WordPress site running the affected plugin can trigger the vulnerable functionality [1].

Impact

Successful exploitation allows an attacker to perform actions normally reserved for administrators or other privileged users. This could include modifying site settings, injecting malicious content, or accessing sensitive data. The vulnerability is considered moderately dangerous and is expected to be used in mass-exploit campaigns, targeting thousands of websites regardless of their size or popularity [1]. /a].

Mitigation

The vendor has not released a patched version as of the publication date. The recommended immediate action is to update the plugin to a version newer than 1.3.9 if available, or to disable the plugin until a fix is released. Site administrators unable to update should consult their hosting provider or web developer for assistance [1].