CVE-2026-32375

Vulnerability

Overview

The Travel Diaries theme for WordPress, versions up to and including 1.2.4, contains a missing authorization vulnerability. This issue arises from improperly configured access control security levels, allowing unauthorized users to bypass authentication checks. According to the Patchstack advisory, the vulnerability is classified as a broken access control issue, meaning functions lack proper authorization, authentication, or nonce token checks [1].

Exploitation

Conditions

An attacker can exploit this vulnerability without requiring any prior authentication. The attack is performed over the network, exploiting the missing authorization to execute higher-privileged actions intended only for authenticated users. The CVSS score is 5.3 (Medium), indicating a moderate severity, but it can be particularly dangerous in mass-exploit campaigns targeting thousands of sites simultaneously regardless of size or popularity [1].

Impact

Successful exploitation allows an unprivileged user to gain unauthorized access to sensitive functionality, potentially leading to privilege escalation. The attacker could modify theme settings, inject malicious content, or perform other administrative tasks without proper authorization.

Mitigation

Users are strongly advised to update the Travel Diaries theme to a patched version as soon as possible. If immediate updates are not feasible, contacting the hosting provider or a web developer for assistance is recommended [1].