Description
Missing Authorization vulnerability in avalex avalex avalex allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects avalex: from n/a through <= 3.1.3.
Published: 2026-03-25
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access
Action: Apply Patch
AI Analysis

Impact

This vulnerability resides in the WordPress Avalex plugin version 3.1.3 and earlier, where missing authorization checks enable attackers to bypass intended access restrictions. The flaw permits unauthorized users to access or modify functionality that should be limited to privileged accounts, potentially exposing sensitive data or allowing further compromise. The weakness is a classic broken access control issue, classified as CWE‑862.

Affected Systems

WordPress installations running the Avalex plugin up through version 3.1.3 are affected. The vendor identified is Avalex. The affected range is all releases from the beginning of the plugin up to and including 3.1.3.

Risk and Exploitability

With a CVSS score of 6.5 the vulnerability poses a moderate risk, and the EPSS indicates a very low likelihood of exploitation (<1%). It is not listed in the CISA KEV catalog, suggesting no known widespread exploitation. Attackers would need to reach the WordPress site and exploit the misconfigured access controls, likely via the WordPress admin interface or API endpoints, to gain unauthorized access. The impact could range from content manipulation to full site hijack depending on the privileges of the target account.

Generated by OpenCVE AI on March 26, 2026 at 18:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Avalex plugin to version 3.1.4 or later.

Generated by OpenCVE AI on March 26, 2026 at 18:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Avalex
Avalex avalex
Wordpress
Wordpress wordpress
Vendors & Products Avalex
Avalex avalex
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in avalex avalex avalex allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects avalex: from n/a through <= 3.1.3.
Title WordPress avalex plugin <= 3.1.3 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Avalex Avalex
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-26T16:40:30.343Z

Reserved: 2026-02-02T12:53:53.793Z

Link: CVE-2026-25462

cve-icon Vulnrichment

Updated: 2026-03-26T16:31:52.499Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:16:52.430

Modified: 2026-03-30T13:27:12.923

Link: CVE-2026-25462

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:31:37Z

Weaknesses