Skip to main content

Numinous EUVDEUVD-2026-11883

| CVE-2026-32380 MEDIUM
Missing Authorization (CWE-862)
2026-03-13 Patchstack
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 13, 2026 - 16:57 euvd
EUVD-2026-11883
Analysis Generated
Mar 13, 2026 - 16:57 vuln.today
CVE Published
Mar 13, 2026 - 11:42 nvd
MEDIUM 5.3

DescriptionCVE.org

Missing Authorization vulnerability in raratheme Numinous numinous allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Numinous: from n/a through <= 1.3.0.

AnalysisAI

Numinous theme versions up to 1.3.0 contain an authorization bypass vulnerability that allows unauthenticated remote attackers to modify data through improperly configured access controls. The vulnerability affects the theme's security implementation and could enable unauthorized changes to application data without authentication. No patch is currently available for this issue.

Technical ContextAI

This vulnerability is classified as CWE-862 (Missing Authorization), which represents a fundamental access control failure where security mechanisms fail to properly verify user permissions before allowing sensitive operations. The affected product is the Numinous theme by raratheme, a WordPress theme that likely implements custom post types, settings pages, or REST API endpoints without adequate capability checks. The vulnerability suggests that functions handling content modification or configuration changes are missing WordPress nonce verification or role-based capability checks (wp_verify_nonce(), current_user_can()), allowing any network-based actor to trigger administrative actions. The issue spans from an unspecified initial version through Numinous 1.3.0, indicating the flaw existed through at least the 1.3.0 release cycle.

RemediationAI

Upgrade the Numinous theme to a patched version greater than 1.3.0 as soon as a fix is released by raratheme. Check the official raratheme website or WordPress.org theme repository for version 1.3.1 or later. Until a patch is available, implement server-level access controls by restricting theme functionality endpoints using a Web Application Firewall (WAF) to block requests to suspicious theme action hooks, or temporarily disable the Numinous theme and switch to an alternative WordPress theme. Additionally, monitor WordPress logs for unauthorized POST requests to admin-ajax.php or REST API endpoints associated with the theme, and consider implementing a WordPress security plugin (such as Wordfence or Sucuri) to add integrity monitoring and access control hardening. For production environments with critical data, isolate the affected WordPress installation behind additional authentication layers or disable public access until patching is completed.

Share

EUVD-2026-11883 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy