CVE-2026-49047

Vulnerability

A missing authorization vulnerability exists in the DearFlip plugin for WordPress, developed by DearHive. The issue affects all versions from n/a through 2.4.27. The plugin fails to properly enforce access control checks on certain functions, allowing exploitation of incorrectly configured access control security levels [1].

Exploitation

An attacker can exploit this vulnerability without requiring authentication or any special privileges. By sending crafted HTTP requests to the vulnerable WordPress site, the attacker can trigger the missing authorization checks. The vulnerability is known to be used in mass-exploit campaigns, targeting thousands of websites regardless of traffic size or popularity [1].

Impact

Successful exploitation allows an unauthenticated attacker to perform actions that should be restricted to higher-privileged users. This could lead to unauthorized access to sensitive data, modification of plugin settings, or other unintended operations depending on the specific function affected. The CVSS score of 4.3 (Medium) reflects the potential for information disclosure or limited impact [1].

Mitigation

The immediate mitigation is to update the DearFlip plugin to a version newer than 2.4.27. As of the publication date (2026-05-27), no patched version has been explicitly mentioned, but users are advised to check for updates from the plugin vendor. If unable to update, contact your hosting provider or web developer for assistance. No other workarounds are documented in the available reference [1].