{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32441", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-12T11:11:35.693Z", "datePublished": "2026-03-25T16:14:57.389Z", "dateUpdated": "2026-03-26T19:12:45.830Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "comments-import-export-woocommerce", "product": "Comments Import & Export", "vendor": "WebToffee", "versions": [{"changes": [{"at": "2.5.0", "status": "unaffected"}], "lessThanOrEqual": "<= 2.4.9", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jitlada | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:36.144Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in WebToffee Comments Import & Export comments-import-export-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Comments Import & Export: from n/a through <= 2.4.9.</p>"}], "value": "Missing Authorization vulnerability in WebToffee Comments Import & Export comments-import-export-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Comments Import & Export: from n/a through <= 2.4.9."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:57.389Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/comments-import-export-woocommerce/vulnerability/wordpress-comments-import-export-plugin-2-4-9-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Comments Import & Export plugin <= 2.4.9 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T19:12:06.201621Z", "id": "CVE-2026-32441", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T19:12:45.830Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-32441", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T19:12:06.201621Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T19:11:19.611Z"}}], "cna": {"title": "WordPress Comments Import & Export plugin <= 2.4.9 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Jitlada | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "affected": [{"vendor": "WebToffee", "product": "Comments Import & Export", "versions": [{"status": "affected", "changes": [{"at": "2.5.0", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "<= 2.4.9"}], "packageName": "comments-import-export-woocommerce", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-03-25T17:12:36.144Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/comments-import-export-woocommerce/vulnerability/wordpress-comments-import-export-plugin-2-4-9-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in WebToffee Comments Import & Export comments-import-export-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Comments Import & Export: from n/a through <= 2.4.9.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in WebToffee Comments Import & Export comments-import-export-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Comments Import & Export: from n/a through <= 2.4.9.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:57.389Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32441", "state": "PUBLISHED", "dateUpdated": "2026-03-26T19:12:45.830Z", "dateReserved": "2026-03-12T11:11:35.693Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:14:57.389Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in WebToffee Comments Import & Export comments-import-export-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Comments Import & Export: from n/a through <= 2.4.9."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en WebToffee Comments Import &amp; Export comments-import-export-woocommerce permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a Comments Import &amp; Export: desde n/a hasta &lt;= 2.4.9."}], "id": "CVE-2026-32441", "lastModified": "2026-03-26T19:17:00.390", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:16:59.050", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/comments-import-export-woocommerce/vulnerability/wordpress-comments-import-export-plugin-2-4-9-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.4.9]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[2.5.0,*]"}}], "enrichment": {"confidence": 82.0, "confidence_source": "matching", "scores": [{"score": 82.0, "source": "matching"}]}, "original": {"product": "Comments Import & Export", "source": "cna", "vendor": "WebToffee"}, "product": "wordpress_comments_import_and_export", "vendor": "webtoffee"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-25T18:38:25.810089+00:00", "value": {"mitigation_remediation": ["Update the plugin to the latest version available from the vendor, which addresses the access control issue.", "If a patch is not immediately available, disable or uninstall the Comments Import & Export plugin to prevent exploitation.", "Restrict access to the import/export functions by applying role\u2011based restrictions or ensuring only trusted administrators have the relevant capabilities.", "Monitor site logs for abnormal import/export activity and audit user accounts for unauthorized changes."], "summary": {"action": "Apply patch", "impact": "Privilege escalation via missing authorization"}, "threat_synthesis": {"affected_systems": "The vulnerability impacts all installations of WebToffee\u2019s Comments Import & Export plugin for WordPress that are version 2.4.9 or earlier. No specific WordPress core version constraints are listed, so any site running the affected plugin version is at risk.", "description_and_impact": "The Comments Import & Export plugin has a missing authorization flaw that allows an attacker to bypass the plugin\u2019s access controls. This vulnerability is identified as CWE-862 and can be used to gain unauthorized access to import or export functionality, potentially leading to data tampering or leakage. The flaw stems from incorrectly configured security levels that fail to validate user permissions before performing plugin actions.", "risk_and_exploitability": "There is no CVSS or EPSS score available. The plugin operates as a WordPress plugin and therefore the attack vector is likely remote via the web interface; an attacker who can interact with the plugin\u2019s import/export endpoints could exploit the flaw without any special privileges. The vulnerability is not currently listed in the CISA KEV catalog, but the potential for unauthorized data manipulation makes it high risk for sites that rely on the plugin\u2019s functionality."}}}}, "created": "2026-03-25T21:43:45.250227+00:00", "updated": "2026-03-26T11:37:44.032351+00:00", "vendors": ["webtoffee", "webtoffee$PRODUCT$wordpress_comments_import_and_export", "wordpress", "wordpress$PRODUCT$wordpress"]}