Description
Missing Authorization vulnerability in kamleshyadav Miraculous miraculous allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Miraculous: from n/a through < 2.1.2.
Published: 2026-03-25
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access
Action: Immediate Patch
AI Analysis

Impact

The Miraculous WordPress theme contains a missing authorization flaw that allows users to perform actions normally reserved for site administrators. This broken access control can lead to unauthorized disclosure, modification, or deletion of site content, and can disrupt normal site operations.

Affected Systems

All installations of the Miraculous theme created by kamleshyadav that run a version earlier than 2.1.2 are affected. The vulnerability applies to every copy of the theme deployed on a WordPress site, regardless of other configurations, until the official patch is applied.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, while the EPSS score of less than 1% suggests that exploitation is relatively unlikely. The vulnerability is not listed in CISA’s KEV catalog, reducing the likelihood of known exploitation. Based on the description, it is inferred that the attack would involve accessing theme files or administrative pages that are not correctly protected, allowing an attacker to elevate privileges or perform unauthorized actions without explicit user confirmation.

Generated by OpenCVE AI on March 26, 2026 at 16:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Miraculous theme to version 2.1.2 or newer provided by the vendor.
  • If an upgrade is not possible at present, disable or remove the Miraculous theme to eliminate the vulnerability.
  • Verify that only administrator roles have access to theme settings and high‑privilege actions within WordPress.
  • Monitor site logs and activity for signs of unauthorized changes to theme configuration or content.

Generated by OpenCVE AI on March 26, 2026 at 16:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Kamleshyadav
Kamleshyadav miraculous
Wordpress
Wordpress wordpress
Vendors & Products Kamleshyadav
Kamleshyadav miraculous
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in kamleshyadav Miraculous miraculous allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Miraculous: from n/a through < 2.1.2.
Title WordPress Miraculous theme < 2.1.2 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Kamleshyadav Miraculous
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-26T13:25:12.821Z

Reserved: 2026-03-12T11:12:13.806Z

Link: CVE-2026-32515

cve-icon Vulnrichment

Updated: 2026-03-26T13:25:02.908Z

cve-icon NVD

Status : Deferred

Published: 2026-03-25T17:17:03.987

Modified: 2026-04-24T16:35:20.070

Link: CVE-2026-32515

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:30:48Z

Weaknesses