CVE-2026-32395

Vulnerability

Overview

CVE-2026-32395 is a missing authorization vulnerability in the Xpro Addons For Beaver Builder – Lite plugin for WordPress, affecting versions from n/a through 1.5.6. The issue stems from incorrectly configured access control security levels, which can be exploited by attackers to perform actions that should require higher privileges [1].

Exploitation

This broken access control vulnerability does not require authentication, making it accessible to any unauthenticated visitor. Attackers can leverage this flaw to execute privileged actions without proper authorization, potentially affecting thousands of websites in mass-exploit campaigns [1].

Impact

Successful exploitation allows an attacker to bypass access restrictions and perform unauthorized operations, such as modifying settings or content, depending on the specific missing checks. The CVSS v3 base score is 5.3 (Medium), indicating a moderate severity with low attack complexity [1].

Mitigation

The vendor has released version 1.5.7 which addresses the vulnerability. Users are strongly advised to update immediately. For those unable to update, consulting a hosting provider or web developer is recommended. Patchstack users can enable auto-updates for vulnerable plugins [1].