VYPR
← All advisories
Medium severity5.9NVD Advisory· Published Jun 16, 2026· Updated Jun 16, 2026

CVE-2026-52714

CVE-2026-52714

Description

Unauthenticated broken access control in Squirrly SEO plugin <=12.4.16 allows unprivileged attackers to perform higher-privileged actions.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Unauthenticated broken access control in Squirrly SEO plugin <=12.4.16 allows unprivileged attackers to perform higher-privileged actions.

Vulnerability

The SEO Plugin by Squirrly SEO versions 12.4.16 and earlier contain a broken access control vulnerability that allows unauthenticated attackers to perform actions normally restricted to higher-privileged users. The issue stems from missing authorization, authentication, or nonce token checks in certain functions, making the code path reachable without any prior authentication [1].

Exploitation

An attacker can exploit this vulnerability remotely without any authentication or user interaction. By sending crafted HTTP requests to the vulnerable endpoints, the attacker can trigger the missing access control checks. The vulnerability is expected to be used in mass-exploit campaigns targeting thousands of websites simultaneously [1].

Impact

Successful exploitation enables an unauthenticated attacker to execute higher-privileged actions, potentially leading to full site compromise, including data disclosure, modification, or deletion. The vulnerability is considered highly dangerous due to its ease of exploitation and the lack of required privileges [1].

Mitigation

The vulnerability is fixed in version 12.4.17 of the plugin. Users are advised to update immediately. Patchstack has issued a mitigation rule to block attacks until the update is applied. No other workarounds are mentioned in the available references [1].

References
  1. Broken Access Control in WordPress SEO Plugin by Squirrly SEO Plugin

AI Insight generated on Jun 16, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

1

News mentions

0

No linked articles in our index yet.