CVE-2026-32377

Vulnerability

Details

The Pranayama Yoga WordPress theme versions up to and including 1.2.2 contain a missing authorization vulnerability [1]. The theme fails to properly enforce access control checks in certain functions, allowing users without the required privileges to execute actions that should be restricted to higher-privileged roles. This is a classic broken access control issue where authorization, authentication, or nonce token checks are absent [1].

Exploitation

An attacker can exploit this vulnerability by sending crafted requests to the affected WordPress site. No authentication is required, as the missing authorization check allows unauthenticated users to trigger privileged actions [1]. The attack complexity is low, and no special network position is needed beyond standard web access.

Impact

Successful exploitation enables an attacker to perform actions normally reserved for administrators or other high-privilege roles. This could lead to unauthorized content modification, user account manipulation, or other site compromise scenarios [1]. The vulnerability is known to be used in mass-exploit campaigns targeting thousands of websites.

Mitigation

The vulnerability is patched in versions after 1.2.2. Users are strongly advised to update the Pranayama Yoga theme to the latest available version immediately [1]. If updating is not possible, contacting the hosting provider or a web developer for assistance is recommended.