CVE-2026-32501
Received Received - Intake
Missing Authorization in WP Configurator Pro Allows Unauthorized Access

Publication date: 2026-03-25

Last updated on: 2026-04-29

Assigner: Patchstack

Description
Missing Authorization vulnerability in wp-configurator WP Configurator Pro wp-configurator-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Configurator Pro: from n/a through <= 3.7.9.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-25
EPSS Evaluated
2026-06-14
NVD
CVE-2026-32501
EUVD
EUVD-2026-15851
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
wp_configurator wp_configurator_pro to 3.7.9 (inc)
patchstack wp_configurator_pro to 3.7.9 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-32501 is a Broken Access Control vulnerability in the WordPress WP Configurator Pro plugin versions up to and including 3.7.9.

This vulnerability occurs because the plugin is missing proper authorization, authentication, or nonce token checks in certain functions, allowing unprivileged users (even those with only subscriber-level privileges) to perform actions that normally require higher privileges.

It is classified under the OWASP Top 10 category A1: Broken Access Control and has a CVSS score of 7.1, indicating a medium severity.

Impact Analysis

This vulnerability allows attackers with low-level access to perform unauthorized actions that should be restricted to higher privilege users.

Such unauthorized actions can compromise the security and integrity of your WordPress site, potentially leading to unauthorized changes, data exposure, or further exploitation.

Because it requires only subscriber-level privileges to exploit, it increases the risk of mass exploitation campaigns targeting many websites regardless of their popularity or traffic.

Immediate mitigation involves updating the plugin to version 3.8.0 or later, or applying automatic mitigation rules provided by Patchstack.

Detection Guidance

This vulnerability allows unprivileged users to perform actions requiring higher privileges due to missing authorization checks in the WP Configurator Pro plugin up to version 3.7.9.

Detection typically involves monitoring for exploitation attempts targeting the plugin's vulnerable functions, especially from subscriber-level accounts.

Patchstack provides an automatic mitigation rule that can block exploitation attempts, which can also be used to detect such attempts.

Specific commands are not provided in the available resources.

Mitigation Strategies

The primary immediate step to mitigate this vulnerability is to update the WP Configurator Pro plugin to version 3.8.0 or later, where the issue is resolved.

If immediate updating is not possible, users are advised to enable Patchstack's automatic mitigation rules that block exploitation attempts.

Users can also enable auto-updates specifically for vulnerable plugins via Patchstack to ensure ongoing protection.

Seeking assistance from hosting providers or web developers is recommended if users cannot update or apply mitigations themselves.

Compliance Impact

The provided information does not specify how the CVE-2026-32501 vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32501. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart