Skip to main content

Business One Page EUVDEUVD-2026-11822

| CVE-2026-32340 MEDIUM
Missing Authorization (CWE-862)
2026-03-13 Patchstack
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 13, 2026 - 16:57 euvd
EUVD-2026-11822
Analysis Generated
Mar 13, 2026 - 16:57 vuln.today
CVE Published
Mar 13, 2026 - 11:41 nvd
MEDIUM 5.3

DescriptionCVE.org

Missing Authorization vulnerability in raratheme Business One Page business-one-page allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Business One Page: from n/a through <= 1.3.2.

AnalysisAI

Business One Page up to version 1.3.2 contains an authorization bypass vulnerability that allows unauthenticated remote attackers to modify data due to improperly configured access controls. An attacker can exploit this weakness to alter sensitive information without requiring valid credentials or user interaction. No patch is currently available for this vulnerability.

Technical ContextAI

The vulnerability resides in the raratheme Business One Page WordPress plugin (CPE: cpe:2.3:a:raratheme:business-one-page), a one-page business website theme/plugin for WordPress. The root cause is classified under CWE-862 (Missing Authorization), which indicates that the application fails to perform proper authorization checks before allowing access to sensitive operations. The plugin appears to expose administrative or data-modifying functionality without verifying user roles, capabilities, or session tokens. This is a common WordPress vulnerability pattern where REST API endpoints, admin-ajax.php handlers, or theme functions lack proper nonce validation and capability checks, allowing any anonymous request to trigger state changes.

RemediationAI

Immediately upgrade the raratheme Business One Page plugin to a version later than 1.3.2; consult the WordPress plugin repository or raratheme's official website for the latest stable release and changelog confirmation. Until a patch is deployed, implement the following mitigations: restrict WordPress admin and plugin access via IP whitelisting or VPN to trusted networks only, apply a Web Application Firewall (WAF) rule to block unauthorized POST/PUT requests to plugin endpoints, enable WordPress security headers and ensure all user accounts use strong passwords with two-factor authentication, and audit recent database and file modifications for signs of compromise. Additionally, consider temporarily disabling the plugin if it is not actively required for core business operations.

Share

EUVD-2026-11822 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy