PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-48973 Benbodhi CVE debrief

A Missing Authorization vulnerability in the SVG Support WordPress plugin allows authenticated users with low privileges to exploit incorrectly configured access control security levels. The vulnerability affects versions up to and including 2.5.14. The issue was disclosed on May 27, 2026, with NVD status currently marked as Deferred. The vulnerability is classified under CWE-862 (Missing Authorization) with a CVSS 3.1 score of 4.3 (Medium severity), indicating network-based attack vector with low attack complexity, requiring low privileges and no user interaction.

Vendor
Benbodhi
Product
SVG Support
CVSS
MEDIUM 4.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

WordPress site administrators using the SVG Support plugin; security teams managing WordPress content management systems; developers responsible for plugin security assessments

Technical summary

The SVG Support plugin for WordPress fails to properly validate user capabilities before executing administrative functions, resulting in a Missing Authorization vulnerability (CWE-862). Affected versions through 2.5.14 permit authenticated users with low privileges to bypass intended access controls. The vulnerability has network attack vector, low complexity, and requires low privileges with no user interaction. Integrity impact is rated Low with no confidentiality or availability impact.

Defensive priority

medium

Recommended defensive actions

  • Upgrade SVG Support WordPress plugin to version 2.5.15 or later if available
  • Review and restrict plugin administrative capabilities to authorized roles only
  • Monitor WordPress audit logs for unauthorized SVG upload or configuration modification attempts
  • Apply principle of least privilege to WordPress user role assignments
  • Verify plugin settings enforce proper capability checks for administrative functions

Evidence notes

Vulnerability disclosed via Patchstack and indexed in NVD with Deferred status. CVSS vector confirms authenticated attack scenario with integrity impact. No known exploitation in the wild or KEV listing at time of disclosure.

Official resources

2026-05-27