How is CVE-2026-42674 exploited?

Network reachability (required): The vulnerable plugin endpoint is exposed over the network, meaning any unauthenticated client that can reach the WordPress installation's HTTP interface can attempt the exploit. Authentication (not-required): No account or credential of any privilege level is needed; the bypass itself is the mechanism that circumvents access controls. Victim interaction (not-required): The attacker sends crafted requests directly to the server; no logged-in user needs to click a link or take any action. Attack complexity (info): Exploitation is reliable and condition-free; the attacker only needs to craft a URL-encoded request, with no race conditions or specific environmental factors required.

What is the impact of CVE-2026-42674?

Attacker bypasses WordPress access controls and gains unauthorized write access to content, settings, or restricted plugin functionality protected by Advanced Access Manager. Protected pages, posts, or admin-facing resources that rely on Advanced Access Manager for access control can be modified or overwritten without legitimate credentials. If the plugin guards administrative endpoints, successful bypass can lead to unauthorized configuration changes across the WordPress installation.

Back to search

HIGHCVE-2026-42674Published 2026-06-01Modified 2026-06-01CNA Patchstack

CVE-2026-42674: WordPress Advanced Access Manager plugin <= 7.1.0 - Bypass Vulnerability vulnerability

Q: What is CVE-2026-42674?

An authentication bypass vulnerability exists in the Advanced Access Manager WordPress plugin at versions 7.1.0 and below. The flaw is reachable over the network without any credentials and requires no interaction from a logged-in user, making it exploitable by any anonymous visitor. Successful exploitation allows an attacker to spoof their way past access controls using URL encoding techniques, giving them unauthorized write access to protected content or functionality. No fix version has been published yet; HarborGuard tracks the advisory and will make a patched-image rebuild available as soon as an upstream fix is released.

Q: Is CVE-2026-42674 patched?

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a remediated version of Advanced Access Manager is released. Until then, customers can apply compensating controls through network-policy isolation or WAF rules that sanitize URL-encoded access-control bypass attempts.

Authentication Bypass by Spoofing vulnerability in AAM Plugin Advanced Access Manager allows URL Encoding. This issue affects Advanced Access Manager: from n/a through 7.1.0.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An authentication bypass vulnerability exists in the Advanced Access Manager WordPress plugin at versions 7.1.0 and below. The flaw is reachable over the network without any credentials and requires no interaction from a logged-in user, making it exploitable by any anonymous visitor. Successful exploitation allows an attacker to spoof their way past access controls using URL encoding techniques, giving them unauthorized write access to protected content or functionality. No fix version has been published yet; HarborGuard tracks the advisory and will make a patched-image rebuild available as soon as an upstream fix is released.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment; CVE-2026-42674 is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built WordPress images that bundle the Advanced Access Manager plugin. Any image in a connected registry or CI/CD pipeline carrying the affected plugin version is flagged automatically.

Available

Triage

HarborGuard scores this finding at CVSS 7.5 HIGH using the published v3.1 vector and weights it further against each customer environment's compliance policy. Routed findings land in the appropriate team inbox based on per-org ownership rules, prioritizing the HIGH severity rating.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a remediated version of Advanced Access Manager is released. Until then, customers can apply compensating controls through network-policy isolation or WAF rules that sanitize URL-encoded access-control bypass attempts.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, meaning any unauthenticated client that can reach the WordPress installation's HTTP interface can attempt the exploit.
AuthenticationNot required
No account or credential of any privilege level is needed; the bypass itself is the mechanism that circumvents access controls.
Victim interactionNot required
The attacker sends crafted requests directly to the server; no logged-in user needs to click a link or take any action.
Attack complexityDetail
Exploitation is reliable and condition-free; the attacker only needs to craft a URL-encoded request, with no race conditions or specific environmental factors required.

Blast Radius

Attacker bypasses WordPress access controls and gains unauthorized write access to content, settings, or restricted plugin functionality protected by Advanced Access Manager.
Protected pages, posts, or admin-facing resources that rely on Advanced Access Manager for access control can be modified or overwritten without legitimate credentials.
If the plugin guards administrative endpoints, successful bypass can lead to unauthorized configuration changes across the WordPress installation.

How HarborGuard Handles This

Available on HarborGuard: this CVE is matched against all images in connected registries and CI/CD pipelines the moment the advisory is ingested. Because no upstream fix has been published as of the CVE's release date, no patched-image rebuild is available yet. HarborGuard re-evaluates the advisory on every ingest cycle; for customers with auto-remediation enabled, a rebuilt image and a pull request against affected workloads will be generated automatically as soon as AAM Plugin ships a patched version. In the interim, compensating controls worth considering include network-policy isolation that restricts public access to the WordPress installation, WAF rules configured to detect and block URL-encoded access-control bypass patterns in incoming requests, and feature-flag gating that disables Advanced Access Manager functionality until a patch is available.

See how HarborGuard automates this

Affected packages

AAM Plugin / Advanced Access Manager
≤ 7.1.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References

patchstack.com

Metrics

Get notified