{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32495", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-12T11:12:00.510Z", "datePublished": "2026-03-25T16:14:59.408Z", "dateUpdated": "2026-03-26T18:59:07.424Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "wp-terms-popup", "product": "WP Terms Popup", "vendor": "Link Software LLC", "versions": [{"changes": [{"at": "2.11.0", "status": "unaffected"}], "lessThanOrEqual": "<= 2.10.0", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:37.767Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Link Software LLC WP Terms Popup wp-terms-popup allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects WP Terms Popup: from n/a through <= 2.10.0.</p>"}], "value": "Missing Authorization vulnerability in Link Software LLC WP Terms Popup wp-terms-popup allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Terms Popup: from n/a through <= 2.10.0."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:59.408Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/wp-terms-popup/vulnerability/wordpress-wp-terms-popup-plugin-2-10-0-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress WP Terms Popup plugin <= 2.10.0 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T18:58:32.182941Z", "id": "CVE-2026-32495", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T18:59:07.424Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-32495", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T18:58:32.182941Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T18:58:08.281Z"}}], "cna": {"title": "WordPress WP Terms Popup plugin <= 2.10.0 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "affected": [{"vendor": "Link Software LLC", "product": "WP Terms Popup", "versions": [{"status": "affected", "changes": [{"at": "2.11.0", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "<= 2.10.0"}], "packageName": "wp-terms-popup", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-03-25T17:12:37.767Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/wp-terms-popup/vulnerability/wordpress-wp-terms-popup-plugin-2-10-0-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Link Software LLC WP Terms Popup wp-terms-popup allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Terms Popup: from n/a through <= 2.10.0.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in Link Software LLC WP Terms Popup wp-terms-popup allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects WP Terms Popup: from n/a through <= 2.10.0.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:59.408Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32495", "state": "PUBLISHED", "dateUpdated": "2026-03-26T18:59:07.424Z", "dateReserved": "2026-03-12T11:12:00.510Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:14:59.408Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Link Software LLC WP Terms Popup wp-terms-popup allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Terms Popup: from n/a through <= 2.10.0."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en Link Software LLC WP Terms Popup wp-terms-popup permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a WP Terms Popup: desde n/a hasta &lt;= 2.10.0."}], "id": "CVE-2026-32495", "lastModified": "2026-03-26T19:17:00.770", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:17:01.247", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/wp-terms-popup/vulnerability/wordpress-wp-terms-popup-plugin-2-10-0-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.10.0]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[2.11.0,*]"}}], "enrichment": {"confidence": 93.0, "confidence_source": "matching", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 93.0, "source": "matching"}]}, "original": {"product": "WP Terms Popup", "source": "cna", "vendor": "Link Software LLC"}, "product": "wp_terms_popup", "vendor": "linksoftwarellc"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-25T18:34:45.335329+00:00", "value": {"mitigation_remediation": ["Update WP Terms Popup to a version newer than 2.10.0. If an update is not feasible, deactivate or uninstall the plugin. Ensure that only trusted administrators retain content\u2011editing privileges on the site."], "summary": {"action": "Apply Update", "impact": "Unauthorized Access / Privilege Escalation"}, "threat_synthesis": {"affected_systems": "Link Software LLC\u2019s WP Terms Popup plugin is vulnerable in all releases up to and including version 2.10.0. Users whose sites run these versions are impacted and should plan an update or removal.", "description_and_impact": "The vulnerability is a missing authorization flaw that allows attackers to bypass the plugin\u2019s access controls. By exploiting incorrect configuration of security levels, an attacker can perform actions that are normally restricted, such as viewing or modifying content, settings, or other sensitive data. This constitutes a broken access control weakness, classified under CWE\u2011862, and can lead to confidentiality and integrity breaches for the affected WordPress site.", "risk_and_exploitability": "Because the flaw removes the boundary between authorized and unauthorized users, the risk of exploitation is high. The CVSS score is not provided, and EPSS data is unavailable, but the sheer breadth of potential impact\u2014such as elevating user rights or manipulating site content\u2014makes it a serious concern. Attackers are likely able to reach the vulnerable code through web requests, so the attack vector is inferred to be remote and web\u2011based."}}}}, "created": "2026-03-25T21:43:33.492972+00:00", "updated": "2026-03-26T11:37:32.717861+00:00", "vendors": ["linksoftwarellc", "linksoftwarellc$PRODUCT$wp_terms_popup", "wordpress", "wordpress$PRODUCT$wordpress"]}