{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32495", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-12T11:12:00.510Z", "datePublished": "2026-03-25T16:14:59.408Z", "dateUpdated": "2026-03-25T16:14:59.408Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "wp-terms-popup", "product": "WP Terms Popup", "vendor": "Link Software LLC", "versions": [{"changes": [{"at": "2.11.0", "status": "unaffected"}], "lessThanOrEqual": "<= 2.10.0", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:37.767Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Link Software LLC WP Terms Popup wp-terms-popup allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects WP Terms Popup: from n/a through <= 2.10.0.</p>"}], "value": "Missing Authorization vulnerability in Link Software LLC WP Terms Popup wp-terms-popup allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Terms Popup: from n/a through <= 2.10.0."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:59.408Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/wp-terms-popup/vulnerability/wordpress-wp-terms-popup-plugin-2-10-0-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress WP Terms Popup plugin <= 2.10.0 - Broken Access Control vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Link Software LLC WP Terms Popup wp-terms-popup allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Terms Popup: from n/a through <= 2.10.0."}], "id": "CVE-2026-32495", "lastModified": "2026-03-25T17:17:01.247", "metrics": {}, "published": "2026-03-25T17:17:01.247", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/wp-terms-popup/vulnerability/wordpress-wp-terms-popup-plugin-2-10-0-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T18:34:45.335329+00:00", "value": {"mitigation_remediation": ["Update WP Terms Popup to a version newer than 2.10.0. If an update is not feasible, deactivate or uninstall the plugin. Ensure that only trusted administrators retain content\u2011editing privileges on the site."], "summary": {"action": "Apply Update", "impact": "Unauthorized Access / Privilege Escalation"}, "threat_synthesis": {"affected_systems": "Link Software LLC\u2019s WP Terms Popup plugin is vulnerable in all releases up to and including version 2.10.0. Users whose sites run these versions are impacted and should plan an update or removal.", "description_and_impact": "The vulnerability is a missing authorization flaw that allows attackers to bypass the plugin\u2019s access controls. By exploiting incorrect configuration of security levels, an attacker can perform actions that are normally restricted, such as viewing or modifying content, settings, or other sensitive data. This constitutes a broken access control weakness, classified under CWE\u2011862, and can lead to confidentiality and integrity breaches for the affected WordPress site.", "risk_and_exploitability": "Because the flaw removes the boundary between authorized and unauthorized users, the risk of exploitation is high. The CVSS score is not provided, and EPSS data is unavailable, but the sheer breadth of potential impact\u2014such as elevating user rights or manipulating site content\u2014makes it a serious concern. Attackers are likely able to reach the vulnerable code through web requests, so the attack vector is inferred to be remote and web\u2011based."}}}}, "created": "2026-03-25T21:43:33.492972+00:00", "updated": "2026-03-25T21:43:33.493019+00:00", "vendors": []}