{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32501", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-12T11:12:07.663Z", "datePublished": "2026-03-25T16:15:00.819Z", "dateUpdated": "2026-03-25T16:15:00.819Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "wp-configurator-pro", "product": "WP Configurator Pro", "vendor": "wp-configurator", "versions": [{"changes": [{"at": "3.8.0", "status": "unaffected"}], "lessThanOrEqual": "<= 3.7.9", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:38.481Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in wp-configurator WP Configurator Pro wp-configurator-pro allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects WP Configurator Pro: from n/a through <= 3.7.9.</p>"}], "value": "Missing Authorization vulnerability in wp-configurator WP Configurator Pro wp-configurator-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Configurator Pro: from n/a through <= 3.7.9."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:15:00.819Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/wp-configurator-pro/vulnerability/wordpress-wp-configurator-pro-plugin-3-7-9-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress WP Configurator Pro plugin <= 3.7.9 - Broken Access Control vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in wp-configurator WP Configurator Pro wp-configurator-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Configurator Pro: from n/a through <= 3.7.9."}], "id": "CVE-2026-32501", "lastModified": "2026-03-25T17:17:02.080", "metrics": {}, "published": "2026-03-25T17:17:02.080", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/wp-configurator-pro/vulnerability/wordpress-wp-configurator-pro-plugin-3-7-9-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T19:22:09.973454+00:00", "value": {"mitigation_remediation": ["Update WP Configurator Pro to the latest available version", "If an update is not available, restrict access to the plugin\u2019s pages and functionality to administrator roles only or disable the plugin entirely until a patch is released", "Verify that no unauthorized administrators or editors have elevated privileges within the WordPress installation", "Monitor site logs for unexpected configuration changes or repeated access attempts", "Consult the vendor\u2019s website or support forum for advisories, patch releases, or temporary workarounds"], "summary": {"action": "Apply Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The problem affects the WordPress WP Configurator Pro plugin distributed by wp-configurator. All releases up to and including version 3.7.9 are vulnerable. Any WordPress instance that has the plugin installed and the affected versions is at risk unless updated.", "description_and_impact": "The CVE describes a Missing Authorization flaw in WP Configurator Pro that lets an attacker exploit incorrectly configured access control levels. By bypassing authentication checks, a functionally unauthenticated user could alter the plugin\u2019s settings, potentially tampering with configuration data that controls site behavior. This attack could enable the attacker to gain elevated privileges within the WordPress site or disrupt functionality, representing a serious integrity and privilege issue tied to CWE-862.", "risk_and_exploitability": "The specific exploitation method is not detailed in the description, but because the vulnerability is an access control flaw, it is reasonable to infer that an attacker could trigger it through the plugin\u2019s web interface or an API endpoint. No CVSS score, EPSS value, or KEV entry is available, so the assessment relies on the fact that a missing authorization check grants significant authority. The risk is high, especially in environments where the plugin is available to non\u2011administrative users. Mitigation should prioritize applying a vendor fix or, if not available, limiting plugin use to administrators only."}}}}, "created": "2026-03-25T21:47:38.540382+00:00", "updated": "2026-03-25T21:47:38.540419+00:00", "vendors": []}