PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-49045 WP Media CVE debrief

A Missing Authorization vulnerability (CWE-862) in the Adminimize WordPress plugin allows authenticated users with low privileges to exploit incorrectly configured access control security levels. The vulnerability affects all versions from n/a through 1.11.11. The issue was published to the CVE List on 2026-05-27 and carries a CVSS 3.1 score of 4.3 (Medium severity), with an attack vector of Network, Low attack complexity, and Low privileges required. The NVD entry currently shows a status of Deferred. No known exploitation in the wild or ransomware campaign use has been documented.

Vendor
WP Media
Product
Adminimize
CVSS
MEDIUM 4.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

WordPress site administrators using the Adminimize plugin; security teams managing WordPress deployments; developers responsible for access control implementation in WordPress plugins

Technical summary

The Adminimize plugin for WordPress fails to properly validate authorization checks, allowing authenticated users with low-level privileges to access or modify administrative settings that should be restricted to higher-privileged users. The vulnerability stems from missing authorization controls on functionality that manages admin interface customization options.

Defensive priority

medium

Recommended defensive actions

  • Update Adminimize plugin to a version newer than 1.11.11 when available
  • Review and restrict user role permissions to enforce least privilege
  • Monitor WordPress audit logs for unauthorized administrative option modifications
  • Apply Web Application Firewall rules to detect and block suspicious access control bypass attempts
  • Subscribe to vendor security advisories for patch availability notifications

Evidence notes

Vulnerability identified via Patchstack audit. CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. Weakness classified as CWE-862 (Missing Authorization).

Official resources

2026-05-27