Skip to main content

Wp Terms Popup EUVDEUVD-2026-15839

| CVE-2026-32495 HIGH
Missing Authorization (CWE-862)
2026-03-25 Patchstack GHSA-x5qc-mg7g-45gj
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15839
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
HIGH 7.5

DescriptionCVE.org

Missing Authorization vulnerability in Link Software LLC WP Terms Popup wp-terms-popup allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Terms Popup: from n/a through <= 2.10.0.

AnalysisAI

A missing authorization vulnerability exists in WP Terms Popup plugin for WordPress (versions through 2.10.0) that allows attackers to bypass access controls and exploit incorrectly configured security levels. The vulnerability, classified as CWE-862 (Missing Authorization), enables unauthenticated or low-privileged attackers to access restricted functionality without proper permission checks. This issue was reported by Patchstack and affects all installations of the plugin up to and including version 2.10.0.

Technical ContextAI

The vulnerability resides in the WP Terms Popup plugin (identified via CPE cpe:2.3:a:link_software_llc:wp_terms_popup:*:*:*:*:*:*:*:*), a WordPress plugin developed by Link Software LLC. The root cause is classified under CWE-862 (Missing Authorization), which indicates the application fails to perform proper authorization checks before allowing access to restricted resources or functions. In WordPress plugin contexts, this typically manifests as missing nonce validation, inadequate capability checks, or improper AJAX endpoint protection. The plugin handles terms-related popup functionality, and the broken access control allows bypassing the intended permission model that should restrict who can configure or trigger these popups.

RemediationAI

Immediately upgrade WP Terms Popup to a version newer than 2.10.0, with the specific patched version available from the plugin's official repository or via the Patchstack advisory link (https://patchstack.com/database/Wordpress/Plugin/wp-terms-popup/vulnerability/wordpress-wp-terms-popup-plugin-2-10-0-broken-access-control-vulnerability?_s_id=cve). If an immediate patch is unavailable, temporarily disable the WP Terms Popup plugin to prevent unauthorized access to popup configuration functions. As a complementary control, enforce authentication and authorization checks at the WordPress application level by limiting plugin functionality to authenticated users via user role restrictions in WordPress settings, and audit plugin access logs to detect exploitation attempts.

Share

EUVD-2026-15839 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy