CVE-2026-45442

Vulnerability

CVE-2026-45442 is a missing authorization vulnerability in the Presto Player plugin for WordPress, affecting versions from n/a through 4.1.3 [1]. The issue stems from incorrectly configured access control security levels, allowing unauthenticated users to access functions or data that should require higher privileges [1].

Exploitation

An attacker can exploit this flaw without authentication by sending specially crafted requests to the vulnerable plugin's endpoints. No special network position is required beyond standard web access to the target WordPress site [1]. The vulnerability has been noted in mass-exploit campaigns, where attackers target thousands of sites simultaneously [1].

Impact

Successful exploitation allows the attacker to perform actions or retrieve data intended for authorized users, such as administrative operations or sensitive information [1]. While the CVSS score (4.3, Medium) reflects a moderate risk, the ease of exploitation and availability of scanning tools make it suitable for widespread attacks [1].

Mitigation

The vendor released version 4.1.4 to patch the vulnerability. All users are strongly advised to update immediately [1]. For those unable to update, immediate action with the hosting provider or web developer is recommended [1]. Patchstack users can enable auto-updates for vulnerable plugins [1].