CVE-2026-32404

Vulnerability

Overview

The Studio99 WP Monitor plugin for WordPress, versions up to and including 1.0.3, contains a missing authorization vulnerability. The plugin fails to properly verify access control security levels, meaning functions that should require higher privileges are accessible without proper checks [1]. This is a classic broken access control issue where the code does not enforce authentication or authorization or nonce token validation for certain actions [1].

## An attacker can exploit this vulnerability without needing any prior authentication. The missing authorization allows unauthenticated users to trigger privileged operations that the plugin exposes. Because the plugin does not validate the user's capabilities before executing sensitive functions, any visitor to a site running the vulnerable plugin can potentially invoke these actions [1].

## Successful exploitation could allow an attacker to perform actions normally restricted to administrators, such as modifying plugin settings or accessing or site settings. This could lead to unauthorized changes to the WordPress installation, potentially enabling further compromise. The vulnerability is rated with a CVSS v3 base score of 5.3 (Medium) and is noted as being used in mass-exploit campaigns targeting thousands of websites [1].

## The vulnerability has been patched in version 1.0.4 of the plugin. Users are strongly advised to update immediately. For those unable to update, contacting a hosting provider or web developer for assistance is recommended. Patchstack users can enable auto-updates for vulnerable plugins [1].