CVE-2026-32487

Vulnerability

Overview

The Lawyer Landing Page theme for WordPress, versions up to and including 1.2.7, contains a missing authorization vulnerability. This broken access control flaw stems from an incorrect configuration of access control security levels, meaning theme functions that should require higher privileges do not properly check for authentication or authorization tokens [1]. As a result, the theme fails to enforce privilege separation for certain actions.

Exploitation

This vulnerability is categorized as a broken access control issue where unprivileged users — potentially including unauthenticated visitors — can execute actions that are normally reserved for higher-privileged roles such as administrators. The attack surface is broad because no special prerequisites are needed beyond a publicly accessible WordPress site running the affected theme version [1]. Attackers can exploit this in mass campaigns, targeting thousands of sites regardless of size or popularity.

Impact

Successful exploitation enables an attacker to perform unauthorized operations within the WordPress installation, possibly leading to site defacement, data exposure, or further privilege escalation. The vendor advisory notes that such vulnerabilities are frequently used in mass-exploit campaigns due to the low barrier to exploitation [1].

Mitigation

Users should immediately update the theme to a patched version if available. For those unable to update, contacting the hosting provider or a web developer is recommended. The vulnerability affects all versions from n/a through 1.2.7, so any site running these versions is at risk [1].