CVE-2026-32396
Received Received - Intake
Missing Authorization in RadiusTheme Team ≀ 5.0.13 Enables Access Bypass

Publication date: 2026-03-13

Last updated on: 2026-04-29

Assigner: Patchstack

Description
Missing Authorization vulnerability in RadiusTheme Team tlp-team allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Team: from n/a through <= 5.0.13.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-13
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-13
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32396
EUVD
EUVD-2026-11911
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
radius_theme tlp-team to 5.0.13 (inc)
radiustheme tlp-team to 5.0.13 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-32396 is a broken access control vulnerability found in the WordPress Team Plugin (tlp-team) versions up to and including 5.0.13.

The issue arises due to missing authorization, authentication, or nonce token checks in certain plugin functions, which allows unauthenticated users to perform actions that normally require higher privileges.

This means that the plugin incorrectly configures access control security levels, enabling unauthorized access.

Impact Analysis

This vulnerability allows unauthenticated users to perform privileged actions within the WordPress Team Plugin, potentially leading to unauthorized changes or access.

However, the vulnerability has a CVSS score of 5.3, indicating a low severity impact and a low priority for exploitation.

While it does not pose a significant threat, it is important to address it to maintain secure access controls and prevent unauthorized access.

Compliance Impact

I don't know

Detection Guidance

This vulnerability arises from missing authorization, authentication, or nonce token checks in certain plugin functions, allowing unauthenticated users to perform actions requiring higher privileges.

Detection would involve monitoring for unauthorized access attempts or unusual privilege escalations related to the WordPress Team Plugin (tlp-team) up to version 5.0.13.

Specific commands or network detection methods are not provided in the available resources.

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The primary mitigation step is to update the WordPress Team Plugin (tlp-team) to version 5.0.14 or later, where the vulnerability is resolved.'}, {'type': 'paragraph', 'content': "Additionally, using Patchstack's mitigation services, including auto-updates for vulnerable plugins, can help maintain secure access controls."}, {'type': 'paragraph', 'content': 'Since the vulnerability is due to broken access control, reviewing and tightening access permissions and authentication mechanisms in the plugin configuration is also advisable.'}] [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32396. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart