Attack Vectors

CVE-2026-24571 is a Medium-severity authorization issue (CVSS 4.3) affecting the BOX NOW Delivery WordPress plugin (box-now-delivery) in versions up to and including 3.0.2.

The risk is triggered when an attacker already has a valid login (for example, a compromised user account or a low-privilege account such as Subscriber). Because the issue can be exploited over the network and does not require user interaction, it increases the likelihood of misuse once credentials are obtained.

Reference: CVE-2026-24571 record.

Security Weakness

The vulnerability is caused by a missing capability (permission) check on a plugin function. In practical terms, this means the plugin does not consistently verify whether the logged-in user is authorized to perform a specific action.

According to the published advisory, this makes it possible for authenticated attackers with subscriber-level access and above to perform an unauthorized action in affected versions. (The advisory does not specify the exact action, so it should be treated broadly as “an action that should have been restricted.”)

Source: Wordfence vulnerability entry.

Technical or Business Impacts

Even at Medium severity, missing-authorization issues are important for business leaders because they often bypass normal workflow controls. If an attacker gains access to any low-privilege account (through password reuse, phishing, or a leaked credential), they may be able to manipulate site behavior in ways that were intended only for trusted roles.

Potential business impacts can include: operational disruption (unexpected changes that require urgent investigation), customer experience issues (delivery or checkout-related friction if site configuration is altered), compliance concerns (audit findings when access control is not enforced), and reputational risk if customers experience service instability.

Remediation: Update BOX NOW Delivery to version 3.2.0 or newer patched versions as recommended by the advisory. As a governance best practice, also review user accounts for least-privilege access and ensure Subscriber accounts are not granted unnecessary access through other plugins or customizations.

Similar attacks (real examples): Authorization gaps have impacted WordPress ecosystems before, including the WordPress core REST API content injection vulnerability addressed in WordPress 4.7.2 security release notes, where insufficient permission checks enabled unauthorized content changes under certain conditions.