Authentication Bypass in Advanced Access Manager Plugin from AAM
CVE-2026-42674

7.5HIGH

Key Information:

Vendor: WordPress
Status: Advanced Access Manager
Vendor: CVE Published:; 1 June 2026

What is CVE-2026-42674?

The Advanced Access Manager plugin is susceptible to an authentication bypass through spoofing. This vulnerability allows attackers to exploit URL encoding techniques, leading to unauthorized access. It affects versions of the plugin up to 7.1.0, posing risks to users by potentially enabling unauthorized control of access permissions. Organizations using this plugin should take immediate action to mitigate risks.

Affected Version(s)

Advanced Access Manager <= 7.1.0

References

https://patchstack.com/database/wordpress/plugin/advanced...

vdb-entry

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 1, 2026
Vulnerability Reserved
Apr 29, 2026

Credit

Tiago Ventura (@perses) | Patchstack Bug Bounty Program

CVE-2026-42674 Data

JSON

WordPress

What is CVE-2026-42674?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit