How is CVE-2026-54184 exploited?

Network reachability (required): The vulnerable plugin endpoint is exposed over the network, so an attacker must be able to send HTTP requests to the WordPress installation to exploit this flaw. Authentication (not-required): No account or session credential of any kind is needed; the IDOR is reachable by any unauthenticated request. Victim interaction (not-required): No user action such as clicking a link or opening a file is required for exploitation. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layout, or other unpredictable environmental factors.

What is the impact of CVE-2026-54184?

An attacker modifies data through the exposed object references, giving limited write access to affected plugin-managed records. An attacker disrupts availability of the affected service, causing the WordPress site or specific plugin functionality to become unresponsive or crash. Because integrity and availability are both impacted, a sustained attack can leave the site in a corrupted or non-functional state without any privileged access.

Back to search

HIGHCVE-2026-54184Published 2026-06-17Modified 2026-06-17CNA Patchstack

CVE-2026-54184: WordPress Clean Login plugin <= 1.15 - Insecure Direct Object References (IDOR) vulnerability

Q: What is CVE-2026-54184?

An Insecure Direct Object Reference (IDOR) vulnerability affects the Clean Login WordPress plugin at version 1.15 and below. The flaw is reachable over the network without any authentication, meaning any remote visitor can send a crafted request that references internal objects the plugin exposes without access checks. Successful exploitation gives an attacker limited write capability over affected data and disrupts service availability. HarborGuard is tracking this advisory for patch availability and will make a patched-image rebuild available the moment an upstream fix is published.

Q: Is CVE-2026-54184 patched?

No fix version has been published upstream for CVE-2026-54184; HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the Clean Login maintainers ship a remediated release. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention once a fix version becomes available.

Unauthenticated Insecure Direct Object References (IDOR) in Clean Login <= 1.15 versions.

CVSS v3.1: 8.2
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An Insecure Direct Object Reference (IDOR) vulnerability affects the Clean Login WordPress plugin at version 1.15 and below. The flaw is reachable over the network without any authentication, meaning any remote visitor can send a crafted request that references internal objects the plugin exposes without access checks. Successful exploitation gives an attacker limited write capability over affected data and disrupts service availability. HarborGuard is tracking this advisory for patch availability and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection for CVE-2026-54184 is available across every HarborGuard environment; the CVE is ingested from upstream feeds including Patchstack within minutes of publication and matched against all customer images, including custom-built images that bundle the Clean Login plugin. Any image carrying the Clean Login plugin at version 1.15 or below is flagged in both registry scans and active CI/CD pipeline checks.

Available

Triage

Triage is available with a CVSS v3.1 base score of 8.2 (HIGH), and per-environment compliance policy weighting can escalate or suppress the finding based on each customer org's risk posture. Routed findings surface in the inbox of the relevant team within each customer organization according to their configured assignment rules.

Available

Patch

No fix version has been published upstream for CVE-2026-54184; HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the Clean Login maintainers ship a remediated release. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention once a fix version becomes available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, so an attacker must be able to send HTTP requests to the WordPress installation to exploit this flaw.
AuthenticationNot required
No account or session credential of any kind is needed; the IDOR is reachable by any unauthenticated request.
Victim interactionNot required
No user action such as clicking a link or opening a file is required for exploitation.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layout, or other unpredictable environmental factors.

Blast Radius

An attacker modifies data through the exposed object references, giving limited write access to affected plugin-managed records.
An attacker disrupts availability of the affected service, causing the WordPress site or specific plugin functionality to become unresponsive or crash.
Because integrity and availability are both impacted, a sustained attack can leave the site in a corrupted or non-functional state without any privileged access.

How HarborGuard Handles This

Available on HarborGuard: automated scanning detects any image carrying Clean Login at version 1.15 or below and surfaces the finding as HIGH severity with a CVSS score of 8.2. Because no upstream fix has been published yet, HarborGuard monitors the Patchstack advisory and the WordPress plugin repository on every ingest cycle. The moment a patched release is available, a rebuilt image is made available automatically, and customers with auto-remediation enabled receive a regression-tested rebuild along with a PR opened against affected workloads. In the interim, compensating controls worth considering include network-policy rules that restrict public access to the WordPress installation, web application firewall rules that block requests containing unexpected object reference patterns in plugin endpoints, and disabling the Clean Login plugin entirely if the functionality is not critical to operations.

See how HarborGuard automates this

Affected packages

Alberto Hornero / Clean Login
≤ 1.15

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

References

patchstack.com

Metrics

Get notified