CVE-2026-32501
Missing Authorization in WP Configurator Pro Allows Unauthorized Access
Publication date: 2026-03-25
Last updated on: 2026-04-29
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wp_configurator | wp_configurator_pro | to 3.7.9 (inc) |
| patchstack | wp_configurator_pro | to 3.7.9 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32501 is a Broken Access Control vulnerability in the WordPress WP Configurator Pro plugin versions up to and including 3.7.9.
This vulnerability occurs because the plugin is missing proper authorization, authentication, or nonce token checks in certain functions, allowing unprivileged users (even those with only subscriber-level privileges) to perform actions that normally require higher privileges.
It is classified under the OWASP Top 10 category A1: Broken Access Control and has a CVSS score of 7.1, indicating a medium severity.
How can this vulnerability impact me? :
This vulnerability allows attackers with low-level access to perform unauthorized actions that should be restricted to higher privilege users.
Such unauthorized actions can compromise the security and integrity of your WordPress site, potentially leading to unauthorized changes, data exposure, or further exploitation.
Because it requires only subscriber-level privileges to exploit, it increases the risk of mass exploitation campaigns targeting many websites regardless of their popularity or traffic.
Immediate mitigation involves updating the plugin to version 3.8.0 or later, or applying automatic mitigation rules provided by Patchstack.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability allows unprivileged users to perform actions requiring higher privileges due to missing authorization checks in the WP Configurator Pro plugin up to version 3.7.9.
Detection typically involves monitoring for exploitation attempts targeting the plugin's vulnerable functions, especially from subscriber-level accounts.
Patchstack provides an automatic mitigation rule that can block exploitation attempts, which can also be used to detect such attempts.
Specific commands are not provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The primary immediate step to mitigate this vulnerability is to update the WP Configurator Pro plugin to version 3.8.0 or later, where the issue is resolved.
If immediate updating is not possible, users are advised to enable Patchstack's automatic mitigation rules that block exploitation attempts.
Users can also enable auto-updates specifically for vulnerable plugins via Patchstack to ensure ongoing protection.
Seeking assistance from hosting providers or web developers is recommended if users cannot update or apply mitigations themselves.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how the CVE-2026-32501 vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.