CVE-2026-32396
Missing Authorization in RadiusTheme Team β€ 5.0.13 Enables Access Bypass
Publication date: 2026-03-13
Last updated on: 2026-04-29
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| radius_theme | tlp-team | to 5.0.13 (inc) |
| radiustheme | tlp-team | to 5.0.13 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32396 is a broken access control vulnerability found in the WordPress Team Plugin (tlp-team) versions up to and including 5.0.13.
The issue arises due to missing authorization, authentication, or nonce token checks in certain plugin functions, which allows unauthenticated users to perform actions that normally require higher privileges.
This means that the plugin incorrectly configures access control security levels, enabling unauthorized access.
How can this vulnerability impact me? :
This vulnerability allows unauthenticated users to perform privileged actions within the WordPress Team Plugin, potentially leading to unauthorized changes or access.
However, the vulnerability has a CVSS score of 5.3, indicating a low severity impact and a low priority for exploitation.
While it does not pose a significant threat, it is important to address it to maintain secure access controls and prevent unauthorized access.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability arises from missing authorization, authentication, or nonce token checks in certain plugin functions, allowing unauthenticated users to perform actions requiring higher privileges.
Detection would involve monitoring for unauthorized access attempts or unusual privilege escalations related to the WordPress Team Plugin (tlp-team) up to version 5.0.13.
Specific commands or network detection methods are not provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The primary mitigation step is to update the WordPress Team Plugin (tlp-team) to version 5.0.14 or later, where the vulnerability is resolved.'}, {'type': 'paragraph', 'content': "Additionally, using Patchstack's mitigation services, including auto-updates for vulnerable plugins, can help maintain secure access controls."}, {'type': 'paragraph', 'content': 'Since the vulnerability is due to broken access control, reviewing and tightening access permissions and authentication mechanisms in the plugin configuration is also advisable.'}] [1]