CVE-2026-24532
Published: 23 January 2026
Summary
CVE-2026-24532 is a medium-severity Missing Authorization (CWE-862) vulnerability. Its CVSS base score is 4.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2026-24532 is a Missing Authorization vulnerability (CWE-862) in the SiteLock Security – WP Hardening, Login Security & Malware Scans WordPress plugin. The flaw allows exploitation of incorrectly configured access control security levels and affects all versions from n/a through 5.0.2. It received a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N), classifying it as medium severity.
A low-privileged authenticated user (PR:L) can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation enables limited integrity impact (I:L), such as unauthorized modifications, while confidentiality (C:N) and availability (A:N) remain unaffected, with unchanged scope (S:U).
The Patchstack advisory provides further details on this broken access control vulnerability in the SiteLock WordPress plugin version 5.0.2: https://patchstack.com/database/Wordpress/Plugin/sitelock/vulnerability/wordpress-sitelock-security-plugin-5-0-2-broken-access-control-vulnerability?_s_id=cve.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-4406
Vulnerability details
Missing Authorization vulnerability in SiteLock SiteLock Security – WP Hardening, Login Security & Malware Scans sitelock allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SiteLock Security – WP Hardening, Login Security & Malware Scans: from n/a through <=…
more
5.0.2.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Broken access control in public-facing WordPress plugin directly enables remote exploitation of the application (T1190) by low-privileged users to perform unauthorized modifications.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authorization checks on all protected functions so a low-privileged authenticated user cannot perform the unauthorized modifications allowed by the missing authorization flaw.
Restricts the permissions granted to authenticated users to only those explicitly required, limiting the impact of any incorrectly configured access-control checks in the plugin.
Ensures access-control decisions are made by a trusted reference monitor rather than relying on the plugin's flawed enforcement logic.