Attack Vectors

Site Suggest (WordPress plugin slug: site-suggest) versions up to and including 1.3.9 are affected by a Medium-severity issue (CVSS 5.3) identified as CVE-2026-28104. The core concern is that an attacker does not need to be logged in to reach a vulnerable function.

From a business-risk perspective, this means exposure is not limited to “insider” misuse or compromised user accounts. Instead, any external party who can reach your website over the internet may attempt to trigger the unauthorized behavior, increasing the likelihood of opportunistic scanning and exploitation.

Learn more on the official CVE record: https://www.cve.org/CVERecord?id=CVE-2026-28104.

Security Weakness

The vulnerability is described as missing authorization (a missing capability check) in a function within Site Suggest (≤ 1.3.9). In practical terms, the plugin fails to reliably confirm that a request is coming from an allowed user role before performing an action.

The published CVSS vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) indicates the issue is reachable remotely, requires no privileges, and no user interaction. While it does not indicate confidentiality loss, it does indicate a risk of integrity impact (unauthorized change or action).

At a governance level, missing authorization controls are a common root cause behind incidents that look like “someone changed something they shouldn’t have,” which can be especially disruptive when it affects customer-facing content or lead-generation workflows.

Technical or Business Impacts

Even at Medium severity, unauthorized actions can create real business consequences—especially for marketing and revenue operations. If an attacker can trigger plugin functionality without permission, the result may include unwanted changes that undermine site accuracy, brand trust, or campaign performance.

Potential business impacts include disruption to inbound lead flow (for example, if site behavior changes unexpectedly), increased support and incident-response costs, and reputational risk if customers encounter altered or unreliable site experiences. For regulated organizations, it can also raise compliance questions around change control and access governance—particularly if you must demonstrate that only authorized roles can make certain site changes.

Remediation note: the source indicates no known patch is available at this time. Organizations should review the risk of keeping Site Suggest installed, consider mitigations aligned to their risk tolerance, and may choose to uninstall the affected software and replace it if the plugin is not business-critical.

Similar Attacks

Missing authorization (and related access-control failures) is a well-known pattern that has been leveraged in major incidents. Examples include:

CVE-2024-6387 (OpenSSH “regreSSHion”) — a widely discussed case where remote exploitation risk drove rapid security response and operational attention.

MOVEit Transfer exploitation (CISA Alert, 2023) — a high-profile example of internet-facing systems being targeted at scale, illustrating why externally reachable weaknesses quickly become business incidents.

Microsoft Exchange on-premises exploitation (CISA Alert, 2021) — demonstrates how attackers prioritize remotely accessible flaws to gain unauthorized capabilities and create widespread operational impact.