{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32515", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-12T11:12:13.806Z", "datePublished": "2026-03-25T16:15:06.206Z", "dateUpdated": "2026-03-25T16:15:06.206Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "miraculous", "product": "Miraculous", "vendor": "kamleshyadav", "versions": [{"changes": [{"at": "2.1.2", "status": "unaffected"}], "lessThanOrEqual": "< 2.1.2", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc) | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:41.141Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in kamleshyadav Miraculous miraculous allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Miraculous: from n/a through < 2.1.2.</p>"}], "value": "Missing Authorization vulnerability in kamleshyadav Miraculous miraculous allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Miraculous: from n/a through < 2.1.2."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:15:06.206Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/miraculous/vulnerability/wordpress-miraculous-theme-2-1-2-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Miraculous theme < 2.1.2 - Broken Access Control vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in kamleshyadav Miraculous miraculous allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Miraculous: from n/a through < 2.1.2."}], "id": "CVE-2026-32515", "lastModified": "2026-03-25T17:17:03.987", "metrics": {}, "published": "2026-03-25T17:17:03.987", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/miraculous/vulnerability/wordpress-miraculous-theme-2-1-2-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T19:20:41.604909+00:00", "value": {"mitigation_remediation": ["Update the Miraculous theme to version 2.1.2 or later", "Verify that the updated theme has restored proper authorization checks", "If an update is not immediately possible, disable or remove all theme\u2011provided administrative pages or functions that are not essential", "Monitor the site for unauthorized content changes or user privilege escalation attempts"], "summary": {"action": "Apply Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "WordPress sites that use the Miraculous theme with a version earlier than 2.1.2 are affected. The vulnerability does not impact newer releases of the theme and is limited to the theme\u2019s administrative interface and associated back\u2011end functions.", "description_and_impact": "A missing authorization check in the Miraculous WordPress theme allows attackers to perform actions that should be limited to privileged users. This broken access control can enable the creation, modification, or deletion of site content, user accounts, or other protected resources, thereby compromising confidentiality, integrity, and availability of the website.", "risk_and_exploitability": "The EPSS score is not supplied, and the vulnerability is not listed in CISA\u2019s KEV catalog, so the likelihood of exploitation is unknown. Nevertheless, because the flaw permits privilege escalation without requiring special credentials, an attacker who can access the site\u2019s administrative interface or manipulate the theme\u2019s custom endpoints can exploit the weakness. The potential impact is significant due to full control over site content and environment."}}}}, "created": "2026-03-25T21:47:24.911730+00:00", "updated": "2026-03-25T21:47:24.911763+00:00", "vendors": []}