Description
Unauthenticated Broken Access Control in Intranet &amp; Private Site &#8211; All-In-One Intranet <= 1.8.1 versions.
Published: 2026-06-26
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is an unauthenticated broken access control vulnerability that permits an attacker to view, edit, or delete content managed by the Intranet & Private Site – All‑One Intranet plugin. This can expose sensitive information and disrupt workplace communications. The underlying weakness is identified as CWE‑862, allowing unprivileged users to access privileged resources.

Affected Systems

WordPress sites that have the Intranet & Private Site – All‑One Intranet plugin by Syed Balkhi installed in version 1.8.1 or earlier are affected. No other products are listed in the advisory.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity risk. The EPSS score is not provided, so the current exploitation probability cannot be quantified. The vulnerability is not listed in CISA’s KEV catalog. Based on the description it is inferred that the attack vector likely exploits the plugin’s administrative HTTP endpoints, allowing access without authentication. Successful exploitation would give an attacker unrestricted control over intranet content and potentially modify or remove it.

Generated by OpenCVE AI on June 26, 2026 at 17:50 UTC.

Remediation

Vendor Solution

Update the WordPress Intranet &amp; Private Site &#8211; All-In-One Intranet Plugin to the latest available version (at least 1.9.0).

OpenCVE Recommended Actions

  • Update the Intranet & Private Site – All‑One Intranet plugin to version 1.9.0 or later
  • If an update cannot be applied immediately, restrict direct access to the plugin’s administrative screens and enforce role‑based limitations
  • Perform an audit of intranet data and user activity logs to identify any unauthorized changes made while the vulnerable version was active

Generated by OpenCVE AI on June 26, 2026 at 17:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated Broken Access Control in Intranet &amp; Private Site &#8211; All-In-One Intranet <= 1.8.1 versions.
Title WordPress Intranet & Private Site – All-In-One Intranet plugin <= 1.8.1 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-26T20:19:01.084Z

Reserved: 2026-06-16T09:21:57.269Z

Link: CVE-2026-54837

cve-icon Vulnrichment

Updated: 2026-06-26T20:18:56.041Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T18:00:06Z

Weaknesses