Skip to main content

Preschool And Kindergarten CVE-2026-32337

| EUVDEUVD-2026-11816 MEDIUM
Missing Authorization (CWE-862)
2026-03-13 Patchstack
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 13, 2026 - 16:57 euvd
EUVD-2026-11816
Analysis Generated
Mar 13, 2026 - 16:57 vuln.today
CVE Published
Mar 13, 2026 - 11:41 nvd
MEDIUM 5.3

DescriptionCVE.org

Missing Authorization vulnerability in raratheme Preschool and Kindergarten preschool-and-kindergarten allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Preschool and Kindergarten: from n/a through <= 1.2.5.

AnalysisAI

Improperly configured access controls in the Preschool and Kindergarten plugin (versions up to 1.2.5) allow unauthenticated attackers to modify content or settings without proper authorization. This missing authorization vulnerability affects websites using the vulnerable plugin and could enable unauthorized data tampering. No security patch is currently available for this vulnerability.

Technical ContextAI

The vulnerability stems from CWE-862 (Missing Authorization), a common WordPress plugin flaw where access control checks are either absent or misconfigured at critical function entry points. The raratheme Preschool and Kindergarten plugin (CPE identifier: cpe:2.3:a:raratheme:preschool_and_kindergarten) fails to validate user capabilities or enforce proper permission checks before processing sensitive operations. This is typical of WordPress security oversights where developers neglect to use functions like current_user_can() or do_action() hooks with proper nonce verification before executing administrative or content-modification functions. The plugin architecture likely exposes AJAX handlers, REST API endpoints, or direct function calls without proper authorization gates, allowing an unauthenticated actor to directly invoke privileged operations.

RemediationAI

Immediately upgrade the Preschool and Kindergarten plugin to the patched version released by raratheme (version 1.2.6 or later if available; verify the exact patch version on the official plugin repository or raratheme website). To upgrade, navigate to WordPress Dashboard > Plugins > Preschool and Kindergarten, click Update, and confirm. If no patch is yet available or the theme is no longer maintained, temporarily disable the plugin and switch to a maintained alternative theme until a security update is released. As a interim measure, restrict WordPress admin access via IP whitelisting using a Web Application Firewall or .htaccess rules, enforce strong authentication via a security plugin like Wordfence, and monitor site activity logs for unauthorized content modifications. Ensure WordPress core, all plugins, and themes are kept current with security updates going forward.

Share

CVE-2026-32337 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy