Skip to main content

Wp Configurator Pro EUVDEUVD-2026-15851

| CVE-2026-32501 HIGH
Missing Authorization (CWE-862)
2026-03-25 Patchstack GHSA-943g-5x48-w59q
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15851
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:15 nvd
HIGH 7.1

DescriptionCVE.org

Missing Authorization vulnerability in wp-configurator WP Configurator Pro wp-configurator-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Configurator Pro: from n/a through <= 3.7.9.

AnalysisAI

WP Configurator Pro contains a missing authorization vulnerability (CWE-862) that allows attackers to bypass access controls and exploit incorrectly configured security levels within the plugin. All versions of WP Configurator Pro through version 3.7.9 are affected. An attacker can gain unauthorized access to sensitive configuration functions and data by circumventing the broken access control mechanisms, potentially compromising WordPress site integrity and confidentiality.

Technical ContextAI

The vulnerability resides in the WP Configurator Pro WordPress plugin (identified via CPE cpe:2.3:a:wp-configurator:wp_configurator_pro:*:*:*:*:*:*:*:*), which provides configuration management functionality for WordPress installations. The root cause is classified as CWE-862 (Missing Authorization), indicating that the plugin fails to properly verify user permissions before granting access to sensitive administrative or configuration functions. WordPress plugins of this type typically handle site-wide settings and configurations, and improper access control allows unauthenticated or insufficiently privileged users to modify these settings. The vulnerability affects the plugin's core access control logic, where authorization checks are either missing, improperly implemented, or bypassed through parameter manipulation.

RemediationAI

The primary remediation is to upgrade WP Configurator Pro to a patched version beyond 3.7.9 as soon as a security update is released by the vendor. Site administrators should check the Patchstack advisory and the plugin's official repository for the latest security patch. As an interim mitigation while awaiting a patch, restrict access to the wp-admin area and plugin configuration pages to trusted IP addresses using a Web Application Firewall (WAF) or server-level access controls, disable the WP Configurator Pro plugin if it is not actively in use, and audit recent configuration changes and user access logs for signs of unauthorized modifications. Additionally, implement capability-based access restrictions at the WordPress level to limit which user roles can interact with configuration functions.

Share

EUVD-2026-15851 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy