Skip to main content

Ppwp CVE-2026-32562

| EUVDEUVD-2026-15927 MEDIUM
Missing Authorization (CWE-862)
2026-03-25 Patchstack GHSA-8qph-hrcc-w5cj
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15927
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:15 nvd
MEDIUM 5.4

DescriptionCVE.org

Missing Authorization vulnerability in WP Folio Team PPWP password-protect-page allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PPWP: from n/a through <= 1.9.15.

AnalysisAI

Unauthorized users in WP Folio Team's Password Protect Page plugin (versions up to 1.9.15) can bypass access controls due to missing authorization checks, allowing them to modify page content or cause service disruptions. Authenticated attackers can exploit this vulnerability to escalate privileges and manipulate access restrictions on protected pages. No patch is currently available.

Technical ContextAI

The vulnerability resides in the WP Folio Team PPWP WordPress plugin (identified via CPE cpe:2.3:a:wp_folio_team:ppwp:*:*:*:*:*:*:*:*), which provides password protection functionality for WordPress pages. The root cause is classified under CWE-862: Missing Authorization, indicating that the plugin fails to enforce proper access control checks before granting users access to protected content. Rather than a cryptographic flaw, this is an authorization logic defect where the plugin's access control mechanism either lacks proper validation of user credentials, fails to enforce security level restrictions consistently, or allows enumeration or bypass of the authentication mechanisms intended to protect sensitive pages. WordPress plugins implementing access control must verify user permissions at every entry point; this vulnerability suggests the PPWP plugin has gaps in its authorization enforcement, likely in the page rendering or shortcode processing code paths.

RemediationAI

Immediately upgrade the PPWP plugin to a patched version released after 1.9.15 by WP Folio Team. Check the official plugin page on WordPress.org or contact WP Folio Team for patch availability, as specific patch version numbers were not disclosed in the intelligence sources. Administrators should review all password-protected pages and their security configurations after upgrading to ensure proper authorization logic is in place. As a temporary workaround pending patching, restrict direct access to protected pages at the web server or reverse proxy level using IP allowlisting or require additional authentication layers (such as WordPress user login) before accessing password-protected content. Audit access logs for any unauthorized page access in the period prior to applying patches. Reference the Patchstack database entry at https://patchstack.com/database/Wordpress/Plugin/password-protect-page/vulnerability/wordpress-ppwp-plugin-1-9-15-broken-access-control-vulnerability for detailed advisory information and patch announcements.

Share

CVE-2026-32562 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy