CVE-2026-32388

The GLB WordPress theme (versions up to and including 1.2.2) suffers from a missing authorization vulnerability. The root cause is the absence of proper access control checks in certain functions, allowing users with lower privileges to perform actions that should require higher privileges. This is classified as a Broken Access Control issue and is documented by Patchstack [1].

This vulnerability can be exploited without authentication or with minimal privileges, depending on the specific insecure function. The attack surface is the WordPress site's front-end or back-end areas where the theme's vulnerable code is exposed. Because the flaw involves missing authorization, an attacker does not need any special access to exploit it [1].

Successful exploitation enables an unprivileged attacker to perform higher-privileged actions, such as modifying settings or data that should be restricted. This type of vulnerability is frequently used in mass-exploit campaigns targeting thousands of websites, regardless of individual site traffic or popularity [1].

Users are strongly advised to update the GLB theme to a patched version as soon as it becomes available. If an update is not possible, site owners should consult with their hosting provider or a web developer to implement alternative access control measures. No other CVEs are mentioned in the reference material [1].