CVE-2026-32439

Vulnerability

Overview

CVE-2026-32439 describes a missing authorization flaw in the BigHearts WordPress theme, developed by WebGeniusLab. The issue stems from incorrectly configured access control security levels, effectively a broken access control vulnerability where the software fails to properly enforce permission checks before granting higher-privileged actions [1].

Exploitation

Context

This vulnerability is classified as exploitable without requiring authentication, as the missing authorization check may allow an unauthenticated attacker to trigger functions intended for higher-privileged roles. The attack surface is primarily through web requests to the theme's exposed endpoints. According to the advisory, such vulnerabilities are frequently leveraged in mass-exploit campaigns, targeting thousands of websites regardless of their size or popularity [1].

Impact and

Mitigation

A successful exploit could allow an attacker to bypass access controls, potentially altering theme settings, accessing sensitive configuration data, or performing other actions that should be restricted to administrators. The CVSS v3 base score is 5.3 (Medium), reflecting a moderate severity due to the potential for privilege escalation [1].

As of the advisory, a patched version is not explicitly confirmed; however, the recommended immediate action is to update the theme to the latest available version. For users unable to update, consulting with a hosting provider or developer is advised to implement additional security measures [1].