{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24382", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-22T14:42:40.516Z", "datePublished": "2026-03-25T16:14:32.688Z", "dateUpdated": "2026-03-25T16:14:32.688Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "news-magazine-x", "product": "News Magazine X", "vendor": "wproyal", "versions": [{"changes": [{"at": "1.2.51", "status": "unaffected"}], "lessThanOrEqual": "<= 1.2.50", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "John P | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:13.545Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in wproyal News Magazine X news-magazine-x allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects News Magazine X: from n/a through <= 1.2.50.</p>"}], "value": "Missing Authorization vulnerability in wproyal News Magazine X news-magazine-x allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects News Magazine X: from n/a through <= 1.2.50."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:32.688Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/news-magazine-x/vulnerability/wordpress-news-magazine-x-theme-1-2-50-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress News Magazine X theme <= 1.2.50 - Broken Access Control vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in wproyal News Magazine X news-magazine-x allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects News Magazine X: from n/a through <= 1.2.50."}], "id": "CVE-2026-24382", "lastModified": "2026-03-25T17:16:38.237", "metrics": {}, "published": "2026-03-25T17:16:38.237", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/news-magazine-x/vulnerability/wordpress-news-magazine-x-theme-1-2-50-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T17:42:40.034769+00:00", "value": {"mitigation_remediation": ["Apply the latest News Magazine X theme version that resolves the missing\u2011authorization flaw.", "Verify that administrative and content\u2011management controls are properly enforced after the update.", "If the patch cannot be applied immediately, deactivate or remove the theme to eliminate the attack surface.", "Continuously monitor access logs for abnormal activity that may indicate exploitation."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Access"}, "threat_synthesis": {"affected_systems": "The affected product is the News Magazine X theme from the Wproyal vendor, versions up to and including 1.2.50. Any site that has installed this theme and is running a WordPress installation is at risk after the indicated release.", "description_and_impact": "The vulnerability is a missing\u2011authorization flaw in the WordPress News Magazine X theme that allows attackers to exploit misconfigured access control. Users who should not have privileged capabilities could gain access to administrative functionality, potentially altering or deleting site content and compromising data integrity and confidentiality.", "risk_and_exploitability": "EPSS data is not available and the vulnerability is not listed in CISA\u2019s KEV catalog. The CVSS score is not provided, but the missing\u2011authorization flaw suggests a high likelihood of exploitation by any user who can reach the protected pages of the theme. The attack vector is likely direct interaction with the theme\u2019s admin interface or exposed URLs. Because all releases up to 1.2.50 are affected, any site still using those versions could be compromised if the attacker can identify the vulnerable endpoints."}}}}, "created": "2026-03-25T21:34:43.939484+00:00", "updated": "2026-03-25T21:34:43.939512+00:00", "vendors": []}