CVE-2026-49045

Vulnerability

A missing authorization vulnerability exists in the WP Media Adminimize plugin for WordPress, affecting versions from n/a through 1.11.11. The issue is categorized as a broken access control flaw, where the plugin fails to properly verify user permissions or nonce tokens in certain functions, allowing exploitation of incorrectly configured access control security levels [1].

Exploitation

An attacker with minimal privileges, such as a subscriber-level account, can exploit this vulnerability by sending crafted requests to the vulnerable endpoint. No special network position is required beyond being able to access the WordPress site's admin-ajax or other authenticated handler. The lack of authorization checks means the attacker can trigger higher-privileged actions without needing elevated permissions [1].

Impact

Successful exploitation enables an unprivileged user to perform actions intended for higher-privileged roles (e.g., administrators), such as modifying plugin settings or accessing protected data. This leads to a breach of confidentiality and integrity, potentially allowing further compromise of the WordPress site [1].

Mitigation

The vulnerability is present in all versions up to 1.11.11. As of the publication date, no fixed version has been released. Immediate action is recommended to update or remove the plugin. If an update is unavailable, users should disable the plugin or seek assistance from a hosting provider or web developer [1].