CVE-2026-32396

The Team plugin by RadiusTheme for WordPress contains a Missing Authorization vulnerability affecting versions through 5.0.13. This flaw is categorized as a broken access control issue, meaning the plugin fails to properly verify user permissions or nonce tokens before executing certain higher-privileged actions. As a result, an attacker without proper authentication could exploit the missing access control checks to perform unauthorized operations.

Exploitation of this vulnerability does not require any special network position or authenticated session; it can be triggered by any unprivileged user by sending crafted requests to the vulnerable plugin endpoints. The CVSS v3 base score of 5.3 reflects the medium severity, but the advisory notes that such vulnerabilities are frequently used in mass-exploit campaigns targeting thousands of sites at once.

If exploited, an attacker could gain access to functionality intended only for authorized users, potentially leading to data exposure, modification, or other unauthorized actions depending on the affected endpoint. The exact impact is limited to the broken access control context, but the lack of authentication requirements increases the attack surface significantly.

The maintainers have addressed this issue in version 5.0.14. Users are strongly advised to update immediately or enable auto-updates. For those unable to update, consulting a hosting provider or web developer for remediation is recommended. The vendor has not indicated any available workarounds beyond updating [1].