CVE-2026-32441
Received Received - Intake

Missing Authorization in WebToffee Comments Import & Export Plugin

Vulnerability report for CVE-2026-32441, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-25

Last updated on: 2026-04-29

Assigner: Patchstack

Description

Missing Authorization vulnerability in WebToffee Comments Import & Export comments-import-export-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Comments Import & Export: from n/a through <= 2.4.9.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-25
Last Modified
2026-04-29
Generated
2026-07-06
AI Q&A
2026-03-25
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
webtoffee comments_import_export to 2.4.9 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The provided information does not specify how the CVE-2026-32441 vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability is a Missing Authorization issue in the WebToffee Comments Import & Export plugin for WooCommerce. It allows attackers to exploit incorrectly configured access control security levels, meaning that unauthorized users might gain access to functionality or data they should not be able to access.

Impact Analysis

The impact of this vulnerability could include unauthorized access to comment import and export features, potentially allowing attackers to manipulate, export, or import comments without proper permissions. This could lead to data integrity issues or exposure of sensitive information.

Detection Guidance

The vulnerability arises from missing authorization checks in the Comments Import & Export plugin, allowing subscriber-level users to perform unauthorized actions. Detection involves monitoring for unauthorized access attempts or actions performed by low-privileged users that should require higher privileges.

While specific commands are not provided, detection can include reviewing web server logs for suspicious POST or GET requests targeting the plugin's import/export functions, especially those initiated by subscriber-level accounts.

Additionally, using security monitoring tools that detect broken access control attempts or unusual privilege escalations related to the plugin can help identify exploitation attempts.

Mitigation Strategies

The primary mitigation step is to update the Comments Import & Export plugin to version 2.5.0 or later, where the vulnerability has been patched.

Until the update can be applied, applying the immediate mitigation rule provided by Patchstack to block attacks targeting this vulnerability is recommended.

Additionally, enabling continuous security monitoring and automatic updates for vulnerable plugins can help protect affected sites from exploitation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32441. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart