PatchSiren cyber security CVE debrief
CVE-2026-24545 Nikki Blight CVE debrief
A Missing Authorization vulnerability in the QR Redirector WordPress plugin (versions through 2.0.3) allows attackers with low privileges to exploit incorrectly configured access control security levels. The vulnerability, classified as CWE-862, enables authenticated users to perform unauthorized actions due to broken access control mechanisms. The issue was published on May 25, 2026, and modified on May 26, 2026. The CVSS 3.1 score of 4.3 (Medium severity) reflects network attack vector, low attack complexity, low privileges required, no user interaction needed, and impacts to integrity only. No known exploitation in the wild or ransomware campaign use has been documented.
- Vendor
- Nikki Blight
- Product
- QR Redirector
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-25
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-25
- Advisory updated
- 2026-05-26
Who should care
WordPress site administrators using QR Redirector plugin; security teams managing WordPress installations; developers maintaining WordPress plugins with role-based access control requirements
Technical summary
The QR Redirector plugin for WordPress fails to properly validate user capabilities before executing sensitive operations. Authenticated users with low privileges can exploit this weakness to perform actions beyond their intended authorization scope. The vulnerability stems from insufficient access control checks (CWE-862) in plugin functionality through version 2.0.3. Attack complexity is low, requiring no user interaction, with network-based exploitation possible. The integrity impact is rated low, with no confidentiality or availability impact per CVSS scoring.
Defensive priority
medium
Recommended defensive actions
- Update QR Redirector WordPress plugin to version 2.0.4 or later if available
- Review and restrict user role permissions to enforce principle of least privilege
- Audit plugin access control configurations for unauthorized capability grants
- Monitor WordPress admin logs for anomalous activity from low-privilege accounts
- Consider implementing additional authorization checks via WordPress capabilities API for custom roles
Evidence notes
Vulnerability identified through Patchstack security research. NVD status marked as 'Deferred'. CVSS vector confirms authenticated attack scenario with integrity impact.
Official resources
-
CVE-2026-24545 CVE record
CVE.org
-
CVE-2026-24545 NVD detail
NVD
-
Source item URL
nvd_modified
- Mitigation or vendor reference
2026-05-25T21:16:34.110Z