What the vulnerability does
01Description
Authorization Bypass Through User-Controlled Key vulnerability in kamleshyadav Miraculous Core Plugin miraculouscore allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Miraculous Core Plugin: from n/a through < 2.0.9.
Explanation of Vulnerability in Simple Terms
02Summary
The Miraculous Core Plugin versions 2.0.9 and earlier contain a critical vulnerability that allows unauthenticated attackers to read sensitive data, modify site content, or disrupt service without any user interaction. The vulnerability stems from improper access control, enabling remote exploitation over the network. All sites running affected versions require immediate patching.
What an attacker can do
03Attacker Capabilities
Read sensitive data, modify content, or disable the site without logging in.
Potential impact on your site
04Site Impact
Attackers can compromise your site's data, content, and availability without any barrier to entry.
Conditions required to exploit
05Prerequisites
Network access only; no authentication or user interaction required.
Key dates
06Disclosure timeline
November 6, 2025
CVE published
April 28, 2026
Record updated