Skip to main content

Bakes And Cakes CVE-2026-32339

| EUVDEUVD-2026-11820 MEDIUM
Missing Authorization (CWE-862)
2026-03-13 Patchstack
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 13, 2026 - 16:57 euvd
EUVD-2026-11820
Analysis Generated
Mar 13, 2026 - 16:57 vuln.today
CVE Published
Mar 13, 2026 - 11:41 nvd
MEDIUM 5.3

DescriptionCVE.org

Missing Authorization vulnerability in raratheme Bakes And Cakes bakes-and-cakes allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Bakes And Cakes: from n/a through <= 1.2.9.

AnalysisAI

Bakes And Cakes plugin versions up to 1.2.9 contain an authorization bypass vulnerability that allows unauthenticated attackers to modify data due to improper access control configuration. An attacker could exploit this over the network without authentication to perform unauthorized state changes. No patch is currently available for this vulnerability.

Technical ContextAI

This vulnerability is classified under CWE-862 (Missing Authorization), which represents a fundamental access control flaw where the application fails to verify that a user has proper authorization before allowing access to specific functions or data. The affected product is the Bakes And Cakes plugin by raratheme, a WordPress plugin theme/extension used for bakery and cake-related website functionality. The vulnerability stems from incorrectly configured access control security levels within the plugin's codebase, meaning certain administrative or sensitive operations lack proper permission checks before execution. WordPress plugins rely on the WordPress nonces, capability checking (using current_user_can()), and role-based access control (RBAC) mechanisms to protect actions; the presence of this vulnerability indicates these protections were either absent or improperly implemented in one or more plugin endpoints or AJAX handlers.

RemediationAI

Immediately upgrade the Bakes And Cakes plugin to the latest version released after 1.2.9, which should contain fixes for the missing authorization checks. Users can upgrade via the WordPress admin dashboard (Plugins > Installed Plugins > Bakes And Cakes > Update, if available) or by downloading the latest version from the WordPress Plugin Directory and installing it manually. If an immediate patch is unavailable from the vendor, temporarily disable the Bakes And Cakes plugin until a patched version is confirmed released. Additionally, implement WordPress hardening measures including enforcing strong authentication, limiting REST API access to authenticated users only, and restricting administrative panel access via IP whitelisting if the vulnerability is exploitable through WordPress REST endpoints or admin-ajax handlers. Monitor plugin update channels and apply patches within 48 to 72 hours of release for all WordPress plugins, especially those handling sensitive data.

Share

CVE-2026-32339 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy