CVE-2026-40778

Vulnerability

Overview

CVE-2026-40778 is a missing authorization vulnerability in the Majestic Support WordPress plugin, affecting versions from n/a through 1.1.2. The plugin fails to properly enforce access controls, allowing users with lower privileges to perform actions meant for higher-privileged roles. This issue is classified as a broken access control vulnerability [1].

Exploitation

The vulnerability can be exploited without requiring authentication, as the missing checks occur in functions that should be restricted to authorized users. An attacker with any level of access, or potentially even unauthenticated, can trigger the vulnerable endpoints to gain elevated capabilities [1]. The CVSS score of 5.3 (Medium) reflects the moderate impact and low attack complexity.

Impact

Successful exploitation allows an attacker to perform actions that should be reserved for administrators, such as modifying plugin settings or accessing sensitive data. This could lead to partial site compromise, data exposure, or further exploitation [1].

Mitigation

The vendor has released version 1.1.3, which addresses the missing authorization. Users are strongly advised to update immediately. For those unable to update, implementing additional access controls or disabling the plugin temporarily is recommended [1].