Skip to main content

Book Landing Page CVE-2026-32378

| EUVDEUVD-2026-11880 MEDIUM
Missing Authorization (CWE-862)
2026-03-13 Patchstack
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 13, 2026 - 16:57 euvd
EUVD-2026-11880
Analysis Generated
Mar 13, 2026 - 16:57 vuln.today
CVE Published
Mar 13, 2026 - 11:42 nvd
MEDIUM 5.3

DescriptionCVE.org

Missing Authorization vulnerability in raratheme Book Landing Page book-landing-page allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Book Landing Page: from n/a through <= 1.2.7.

AnalysisAI

Improper access control in raratheme Book Landing Page through version 1.2.7 permits unauthenticated attackers to modify content or data without proper authorization checks. The vulnerability stems from missing authentication validation on protected operations, allowing remote exploitation without user interaction. No patch is currently available.

Technical ContextAI

This vulnerability stems from CWE-862 (Missing Authorization), a class of flaws where software fails to properly verify that a user has permission to perform a requested action before executing it. The Book Landing Page plugin, developed by raratheme, implements endpoint handlers or functionality that accept user requests without sufficient authorization checks. The affected component likely manages book landing page content, metadata, or configuration through web-accessible endpoints that do not validate user privileges or session tokens. This is typical in WordPress plugin architectures where custom post types or admin AJAX actions are exposed without proper capability checks (wp_verify_nonce, current_user_can, etc.). The vulnerability affects versions 1.2.7 and earlier, suggesting the authorization framework may have been added or improved in later versions.

RemediationAI

The primary remediation is to upgrade the Book Landing Page plugin to version 1.2.8 or later, which should include proper authorization checks on all data-modifying endpoints. Users should immediately apply the patch through their WordPress dashboard (Plugins > Installed Plugins > Book Landing Page > Update) or via WordPress CLI (wp plugin update book-landing-page). As an interim workaround until patching is possible, administrators should disable the plugin and reactivate it only after upgrading, or restrict access to wp-admin and plugin endpoints using web application firewall (WAF) rules or .htaccess restrictions to limit exposure. Additionally, conduct a security audit of recent changes to book landing pages to identify any unauthorized modifications that may have occurred, and consider implementing role-based access controls at the application level to enforce least-privilege principles.

Share

CVE-2026-32378 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy