CVE-2026-24569 identifies a missing authorization vulnerability in the Sully Media Library File Size plugin, versions up to and including 1.6.7. The flaw arises from incorrectly configured access control mechanisms that fail to properly restrict access to file size information within the media library. This allows an attacker with at least some level of privileges (PR:L) to remotely access file size metadata without requiring user interaction (UI:N). The vulnerability impacts confidentiality by exposing information that could be leveraged for further attacks or reconnaissance but does not compromise data integrity or system availability. The CVSS vector (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) indicates that the attack can be performed over the network with low attack complexity and only requires privileges that are already granted to the attacker, but no additional user interaction is needed. The vulnerability affects all versions up to 1.6.7, with no patch currently linked in the provided data. No known exploits have been reported in the wild, suggesting limited active exploitation at this time. The vulnerability is classified as medium severity due to its limited impact scope and the requirement for some level of privilege. However, it remains a concern for organizations relying on this plugin for media management, as unauthorized access to metadata can facilitate further attacks or data leakage.

For European organizations, this vulnerability could lead to unauthorized disclosure of media file size information, which might be used for reconnaissance or to infer sensitive operational details. While the direct impact on confidentiality is limited, attackers could combine this information with other vulnerabilities or social engineering to escalate privileges or access more sensitive data. Organizations handling sensitive media content, such as media companies, broadcasters, or governmental agencies, may face increased risk if attackers leverage this flaw as part of a broader attack chain. The vulnerability does not affect data integrity or availability, so operational disruption is unlikely. However, the exposure of metadata could violate data protection policies or compliance requirements, especially under GDPR if personal data or sensitive information is indirectly inferred. The medium severity rating suggests that while immediate risk is moderate, the vulnerability should not be ignored, particularly in environments with multiple layered vulnerabilities or where the plugin is widely deployed.

Organizations should immediately review and enforce strict access control policies for the Sully Media Library File Size plugin. This includes verifying that only authorized users with appropriate privileges can access file size metadata. If a patch becomes available, it should be applied promptly. In the absence of a patch, consider disabling or restricting the plugin's functionality to trusted users only. Implement network segmentation and monitoring to detect unusual access patterns to media library resources. Conduct regular audits of user privileges and plugin configurations to ensure compliance with the principle of least privilege. Additionally, integrate this vulnerability into vulnerability management and incident response workflows to quickly identify and respond to any exploitation attempts. Employ web application firewalls (WAFs) to block unauthorized requests targeting the plugin endpoints. Finally, raise user awareness about the risks of privilege misuse and ensure that administrative accounts are protected with strong authentication mechanisms.