Skip to main content

Chocolate House EUVDEUVD-2026-11836

| CVE-2026-32350 MEDIUM
Missing Authorization (CWE-862)
2026-03-13 Patchstack
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 13, 2026 - 16:57 euvd
EUVD-2026-11836
Analysis Generated
Mar 13, 2026 - 16:57 vuln.today
CVE Published
Mar 13, 2026 - 11:41 nvd
MEDIUM 5.3

DescriptionCVE.org

Missing Authorization vulnerability in wpradiant Chocolate House chocolate-house allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Chocolate House: from n/a through <= 1.1.5.

AnalysisAI

Improper access control in Chocolate House through version 1.1.5 allows unauthenticated remote attackers to modify data by bypassing authorization checks. The vulnerability affects all versions up to 1.1.5, and no patch is currently available. An attacker could exploit misconfigured security levels to gain unauthorized write access without authentication.

Technical ContextAI

This vulnerability is classified as CWE-862 (Missing Authorization), a critical access control flaw where the application fails to enforce privilege boundaries for sensitive operations. The wpradiant Chocolate House plugin, identified through CPE patterns as a WordPress plugin component, implements inadequate authorization checks on API endpoints or administrative functions that should require authentication. Unlike CWE-863 (Incorrect Authorization), which involves flawed authorization logic, this vulnerability represents a complete absence of authorization enforcement, allowing the application to process requests that should be restricted to authenticated and privileged users. The network-based attack vector (CVSS:3.1/AV:N) indicates the flaw is exploitable remotely without local access, and the low attack complexity (AC:L) means no special conditions or tool sophistication is required.

RemediationAI

Upgrade the wpradiant Chocolate House plugin to version 1.1.6 or later once available; check the WordPress plugin repository or wpradiant's official website for the patched release. If immediate patching is not possible, implement network-level access controls to restrict requests to the vulnerable plugin's endpoints to trusted IP ranges, and consider temporarily disabling the Chocolate House plugin until a patch is confirmed. Additionally, audit WordPress user roles and capabilities to ensure least-privilege assignments, and monitor access logs for unauthorized modification attempts. Enable WordPress security logging to detect exploitation attempts targeting the missing authorization flaw.

Share

EUVD-2026-11836 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy