Description
Missing Authorization vulnerability in SiteLock SiteLock Security – WP Hardening, Login Security & Malware Scans sitelock allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SiteLock Security – WP Hardening, Login Security & Malware Scans: from n/a through <= 5.0.2.
Published: 2026-01-23
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access due to missing authorization controls
Action: Apply Vendor Fix
AI Analysis

Impact

The SiteLock Security – WP Hardening, Login Security & Malware Scans plugin contains a missing authorization flaw that lets attackers bypass the plugin’s configured security levels. Classified as CWE‑862, the vulnerability allows an attacker to reach administrative endpoints that should be restricted, potentially exposing plugin settings and other sensitive data. While the description does not note arbitrary code execution, the loss of access control threatens the confidentiality and integrity of the WordPress site.

Affected Systems

All installations of SiteLock Security – WP Hardening, Login Security & Malware Scans from the earliest available versions up to and including 5.0.2 are vulnerable. The product is offered by SiteLock, and any site running one of these versions is at risk regardless of its WordPress version.

Risk and Exploitability

With a CVSS score of 8.8 this vulnerability is high severity. The EPSS score is below 1 %, indicating a relatively low probability of exploitation in the wild, and it is not listed in the CISA KEV catalog. Attackers would likely target the plugin via web‑based administrative interfaces, crafting requests that exploit the missing access control to gain unauthorized access. The lack of mitigations beyond proper authorization makes the flaw a serious threat when the site is exposed to the network.

Generated by OpenCVE AI on April 16, 2026 at 07:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify the current version of SiteLock Security – WP Hardening, Login Security & Malware Scans; if it is <=5.0.2, consult SiteLock documentation to determine whether an updated version with a fix is available and apply it when possible.
  • If no updated version is available, disable the plugin until a vendor fix is released.
  • Restrict administrative access to the WordPress backend by requiring HTTPS, enforcing strong user roles, and ensuring only authorized users can reach the plugin’s administrative URLs.

Generated by OpenCVE AI on April 16, 2026 at 07:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in SiteLock SiteLock Security – WP Hardening, Login Security & Malware Scans allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SiteLock Security – WP Hardening, Login Security & Malware Scans: from n/a through 5.0.2. Missing Authorization vulnerability in SiteLock SiteLock Security – WP Hardening, Login Security & Malware Scans sitelock allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SiteLock Security – WP Hardening, Login Security & Malware Scans: from n/a through <= 5.0.2.
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Tue, 17 Feb 2026 11:30:00 +0000

Type Values Removed Values Added
References

Tue, 17 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in SiteLock SiteLock Security sitelock allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SiteLock Security: from n/a through <= 5.0.2. Missing Authorization vulnerability in SiteLock SiteLock Security – WP Hardening, Login Security & Malware Scans allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SiteLock Security – WP Hardening, Login Security & Malware Scans: from n/a through 5.0.2.
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Mon, 26 Jan 2026 23:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 26 Jan 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 23 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in SiteLock SiteLock Security sitelock allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SiteLock Security: from n/a through <= 5.0.2.
Title WordPress SiteLock Security plugin <= 5.0.2 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-23T14:14:05.655Z

Reserved: 2026-01-23T12:31:40.820Z

Link: CVE-2026-24532

cve-icon Vulnrichment

Updated: 2026-01-26T19:08:53.558Z

cve-icon NVD

Status : Deferred

Published: 2026-01-23T15:16:09.273

Modified: 2026-04-23T15:36:47.063

Link: CVE-2026-24532

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T07:45:06Z

Weaknesses