CVE-2026-42674 AAM Plugin CVE debrief

Who should care

WordPress site administrators using Advanced Access Manager for access control; security teams managing WordPress plugin inventories; organizations relying on AAM for role-based or endpoint access management

Technical summary

The Advanced Access Manager plugin for WordPress, versions through 7.1.0, contains an authentication bypass vulnerability exploitable through URL encoding. An unauthenticated attacker can spoof authentication status by manipulating URL-encoded requests, resulting in unauthorized access to protected resources. The attack vector is network-accessible, requires low attack complexity, no privileges, and no user interaction. The vulnerability has high impact on integrity with no direct confidentiality or availability impact per the CVSS vector.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade Advanced Access Manager plugin to a version newer than 7.1.0 if a patched release is available from the vendor
• Review and restrict access to WordPress administrative interfaces that rely on AAM for access control
• Implement additional network-layer access controls (e.g., IP allowlisting, VPN requirements) for sensitive admin endpoints as a compensating control until patching is confirmed
• Monitor authentication logs for anomalous URL-encoded request patterns targeting AAM-protected resources
• Verify plugin version across all WordPress instances and inventory AAM deployments for prioritized patching

Evidence notes

Vulnerability affects AAM Plugin Advanced Access Manager versions n/a through 7.1.0. CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N. NVD status is Deferred. Weakness classified as CWE-290. Vendor identification marked as low confidence and needs review.

Official resources