Skip to main content

Vw Photography EUVDEUVD-2026-11976

| CVE-2026-32436 MEDIUM
Missing Authorization (CWE-862)
2026-03-13 Patchstack
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

3
EUVD ID Assigned
Mar 13, 2026 - 16:57 euvd
EUVD-2026-11976
Analysis Generated
Mar 13, 2026 - 16:57 vuln.today
CVE Published
Mar 13, 2026 - 11:42 nvd
MEDIUM 5.3

DescriptionCVE.org

Missing Authorization vulnerability in vowelweb VW Photography vw-photography allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects VW Photography: from n/a through <= 1.3.8.

AnalysisAI

Improper access control in VW Photography through version 1.3.8 permits unauthenticated attackers to modify application data due to missing authorization checks on sensitive functions. An attacker can exploit this vulnerability over the network without user interaction to alter content or settings, though confidentiality and availability are not impacted. No patch is currently available for this vulnerability.

Technical ContextAI

The VW Photography plugin for WordPress (identified via CPE string cpe:2.3:a:vowelweb:vw_photography) implements photography management and gallery features but fails to implement proper authorization checks on sensitive operations. The vulnerability falls under CWE-862 (Missing Authorization), which indicates that security-critical functions lack proper verification that the requesting user has explicit permission to perform the action. The plugin likely fails to validate user roles and capabilities before processing POST/PUT requests or API calls that modify photography data, allowing the 'I' (Integrity) component of CIA to be compromised. This is distinct from authentication failures; the user may be authenticated or the check may be entirely absent, but the authorization layer that determines what an authenticated user can do is misconfigured or missing entirely.

RemediationAI

Immediately update the VW Photography plugin to the latest available version (1.3.9 or later if released) through the WordPress admin dashboard or directly from the official plugin repository. If an immediate patch is unavailable, restrict plugin access by enforcing role-based capabilities at the WordPress level using security plugins (such as Wordfence) to limit who can access photography management features, disable the plugin's public-facing API endpoints if not required, and implement Web Application Firewall (WAF) rules to block unauthorized modification requests to photography endpoints. Additionally, review all recent changes to photography galleries and content to detect any unauthorized modifications made during the vulnerability window.

Share

EUVD-2026-11976 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy