Skip to main content

Miraculous EUVDEUVD-2026-15874

| CVE-2026-32515 HIGH
Missing Authorization (CWE-862)
2026-03-25 Patchstack GHSA-w55m-jf9q-fmg9
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

7
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
Analysis Updated
Apr 16, 2026 - 06:14 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
2.1.2
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15874
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:15 nvd
HIGH 7.5

DescriptionCVE.org

Missing Authorization vulnerability in kamleshyadav Miraculous miraculous allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Miraculous: from n/a through < 2.1.2.

AnalysisAI

A Missing Authorization vulnerability (CWE-862) exists in the Miraculous theme by kamleshyadav, affecting versions prior to 2.1.2, that allows attackers to bypass access control security levels through incorrectly configured authorization mechanisms. An attacker can exploit this flaw to access restricted functionality or resources that should require proper authentication and authorization checks. While no CVSS score, EPSS data, or KEV status has been publicly assigned, the vulnerability has been documented by Patchstack and carries authentication bypass implications that warrant timely patching.

Technical ContextAI

The Miraculous theme (CPE: cpe:2.3:a:kamleshyadav:miraculous:*:*:*:*:*:*:*:*) is a WordPress theme that implements access control mechanisms to restrict user access to certain features or content based on user roles and permissions. The vulnerability stems from CWE-862 (Missing Authorization), which occurs when software fails to perform authorization checks before allowing access to restricted operations or resources. In the context of WordPress themes, this typically manifests as missing capability checks (current_user_can()) or role validation before executing sensitive actions, allowing authenticated or unauthenticated users to perform operations intended only for administrators or higher-privileged roles. The flaw indicates that the theme's access control configuration does not properly enforce security levels across all sensitive endpoints or functions.

RemediationAI

Immediately upgrade the Miraculous theme to version 2.1.2 or later, which contains the authorization control fixes. This can be performed through the WordPress dashboard by navigating to Appearance > Themes, locating Miraculous, and clicking Update if available, or by manually downloading the patched version from the official source and uploading it via SFTP or WordPress file manager. Until patching is completed, WordPress administrators should review and restrict user role assignments, ensuring that only trusted administrators have elevated capabilities, and consider temporarily disabling the theme if it is not actively in use on critical functionality. Additionally, implement WordPress security hardening measures such as enforcing strong authentication (two-factor authentication via a security plugin), limiting login attempts, and regularly auditing user roles and permissions to detect unauthorized access attempts.

Share

EUVD-2026-15874 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy