CVE-2026-32379

Vulnerability

Overview The Rara Academic WordPress theme, versions 1.2.2 and earlier, contains a missing authorization vulnerability. The root cause is an incorrectly configured access control security level in the theme's code, which fails to verify user privileges before granting access to certain restricted functions or data [1].

Attack

Vector and Requirements This vulnerability is classified as a broken access control issue, meaning there is no proper authentication or nonce token check in a function. An attacker can exploit this by sending crafted requests to the affected site without requiring any prior authentication. No special network position or user interaction is needed; the attack vector is over the network [1].

Impact

Successful exploitation allows an unprivileged, unauthenticated attacker to execute actions that should be reserved for higher-privileged users, such as administrators. This can lead to unauthorized modification of site content, user data exposure, or other privilege escalation outcomes. The vulnerability is known to be used in mass-exploit campaigns targeting thousands of websites [1].

Mitigation

The vulnerability is present in all versions up to and including 1.2.2. Users are strongly advised to update the theme to the latest patched version as soon as possible. If updating is not feasible, consulting a hosting provider or web developer for alternative mitigation steps is recommended [1].