CVE-2026-32378

Vulnerability

Overview The Book Landing Page theme for WordPress versions up to and including 1.2.7 suffers from a missing authorization vulnerability. The theme fails to properly verify access control security levels, allowing unauthenticated or low-privileged users to perform actions that should require higher privileges. This is a classic broken access control issue, as described in the Patchstack advisory [1].

Exploitation

Conditions No authentication is required to exploit this vulnerability, making it easily accessible to remote attackers. The attack vector is network-based, and the complexity is low, as indicated by the CVSS v3 base score of 5.3 [1]. An attacker can send specially crafted requests to trigger the missing authorization check, potentially gaining access to restricted functionality or data.

Impact

Successful exploitation enables an attacker to bypass intended access restrictions, leading to unauthorized actions such as modifying settings, accessing sensitive information, or performing operations reserved for higher-privileged users. Such vulnerabilities are frequently used in mass-exploit campaigns targeting thousands of WordPress sites [1].

Mitigation

The vendor has not released a patched version as of the publication date. Users are strongly advised to update the theme to the latest available version if a patch becomes available. If an update is not possible, consider disabling the theme or implementing additional access controls through a Web Application Firewall (WAF) or custom code changes [1].