CVE-2026-32515 - Vulnerability Details - OpenCVE

Missing Authorization vulnerability in kamleshyadav Miraculous miraculous allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Miraculous: from n/a through < 2.1.2.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00017.

Key SSVC decision points have not yet been added.

Vendors	Products
Kamleshyadav Subscribe	Miraculous Subscribe
Wordpress Subscribe	Wordpress Subscribe

No data.

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Kamleshyadav Subscribe	Miraculous Subscribe
Wordpress Subscribe	Wordpress Subscribe

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://patchstack.com/database/Wordpress/Theme/miraculous/vulnerability/wordpress-miraculous-theme-2-1-2-broken-access-control-vulnerability?_s_id=cve

History

Thu, 26 Mar 2026 12:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Kamleshyadav Kamleshyadav miraculous Wordpress Wordpress wordpress
Vendors & Products		Kamleshyadav Kamleshyadav miraculous Wordpress Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type	Values Removed	Values Added
Description		Missing Authorization vulnerability in kamleshyadav Miraculous miraculous allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Miraculous: from n/a through < 2.1.2.
Title		WordPress Miraculous theme < 2.1.2 - Broken Access Control vulnerability
Weaknesses		CWE-862
References		https://patchstack.com/database/Wordpress/Theme/miraculous/vulnerability/wordpress-miraculous-theme-2-1-2-broken-access-control-vulnerability?_s_id=cve

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2026-03-25T16:15:06.206Z

Updated: 2026-03-26T13:25:12.821Z

Reserved: 2026-03-12T11:12:13.806Z

Link: CVE-2026-32515

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-03-25T17:17:03.987

Modified: 2026-03-25T17:17:03.987

Link: CVE-2026-32515

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-26T11:35:17Z

Weaknesses

CWE-862

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32515", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-12T11:12:13.806Z", "datePublished": "2026-03-25T16:15:06.206Z", "dateUpdated": "2026-03-26T13:25:12.821Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "miraculous", "product": "Miraculous", "vendor": "kamleshyadav", "versions": [{"changes": [{"at": "2.1.2", "status": "unaffected"}], "lessThanOrEqual": "< 2.1.2", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc) | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:41.141Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in kamleshyadav Miraculous miraculous allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Miraculous: from n/a through < 2.1.2.</p>"}], "value": "Missing Authorization vulnerability in kamleshyadav Miraculous miraculous allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Miraculous: from n/a through < 2.1.2."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:15:06.206Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/miraculous/vulnerability/wordpress-miraculous-theme-2-1-2-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Miraculous theme < 2.1.2 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T13:25:08.920692Z", "id": "CVE-2026-32515", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T13:25:12.821Z"}}]}}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.1.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "miraculous", "vendor": "kamleshyadav"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-25T19:20:41.604909+00:00", "value": {"mitigation_remediation": ["Update the Miraculous theme to version 2.1.2 or later", "Verify that the updated theme has restored proper authorization checks", "If an update is not immediately possible, disable or remove all theme\u2011provided administrative pages or functions that are not essential", "Monitor the site for unauthorized content changes or user privilege escalation attempts"], "summary": {"action": "Apply Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "WordPress sites that use the Miraculous theme with a version earlier than 2.1.2 are affected. The vulnerability does not impact newer releases of the theme and is limited to the theme\u2019s administrative interface and associated back\u2011end functions.", "description_and_impact": "A missing authorization check in the Miraculous WordPress theme allows attackers to perform actions that should be limited to privileged users. This broken access control can enable the creation, modification, or deletion of site content, user accounts, or other protected resources, thereby compromising confidentiality, integrity, and availability of the website.", "risk_and_exploitability": "The EPSS score is not supplied, and the vulnerability is not listed in CISA\u2019s KEV catalog, so the likelihood of exploitation is unknown. Nevertheless, because the flaw permits privilege escalation without requiring special credentials, an attacker who can access the site\u2019s administrative interface or manipulate the theme\u2019s custom endpoints can exploit the weakness. The potential impact is significant due to full control over site content and environment."}}}}, "created": "2026-03-25T21:47:24.911730+00:00", "updated": "2026-03-26T11:35:17.981797+00:00", "vendors": ["kamleshyadav", "kamleshyadav$PRODUCT$miraculous", "wordpress", "wordpress$PRODUCT$wordpress"]}