Skip to main content

Construction Landing Page CVE-2026-32338

| EUVDEUVD-2026-11818 MEDIUM
Missing Authorization (CWE-862)
2026-03-13 Patchstack
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 13, 2026 - 16:57 euvd
EUVD-2026-11818
Analysis Generated
Mar 13, 2026 - 16:57 vuln.today
CVE Published
Mar 13, 2026 - 11:41 nvd
MEDIUM 5.3

DescriptionCVE.org

Missing Authorization vulnerability in raratheme Construction Landing Page construction-landing-page allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Construction Landing Page: from n/a through <= 1.4.1.

AnalysisAI

The Construction Landing Page plugin through version 1.4.1 contains a missing authorization vulnerability that allows unauthenticated attackers to modify data through improperly configured access controls. An attacker can exploit this flaw to perform unauthorized changes to the application without authentication or user interaction. No patch is currently available for this vulnerability.

Technical ContextAI

The vulnerability stems from CWE-862 (Missing Authorization), a common weakness where access control checks are either absent or improperly implemented. The raratheme Construction Landing Page plugin, identifiable via CPE string cpe:2.3:a:raratheme:construction-landing-page, fails to enforce proper authorization checks before allowing state-changing operations. This typically manifests in WordPress plugins as missing nonce verification, absent capability checks (wp_verify_nonce, current_user_can), or exposed REST API endpoints without proper permission callbacks. The issue affects the plugin architecture itself rather than a third-party library, indicating flawed security implementation in the plugin's core functionality handlers.

RemediationAI

Immediately upgrade the raratheme Construction Landing Page plugin to the latest patched version (1.4.2 or higher) available from WordPress.org or the vendor's official repository. Verify the upgrade via the plugin management dashboard and confirm the version string has incremented. As a temporary measure before patching is feasible, restrict plugin functionality by disabling the plugin entirely if non-critical, or implement Web Application Firewall (WAF) rules to block suspicious state-change requests to the plugin's endpoints. Additionally, audit user roles and remove unnecessary editor/administrator permissions from untrusted accounts, and enable security monitoring to detect unusual modification activities on affected sites.

Share

CVE-2026-32338 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy