{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32339", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-12T11:10:35.808Z", "datePublished": "2026-03-13T11:41:56.845Z", "dateUpdated": "2026-04-29T09:51:57.611Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "bakes-and-cakes", "product": "Bakes And Cakes", "vendor": "raratheme", "versions": [{"changes": [{"at": "1.3.0", "status": "unaffected"}], "lessThanOrEqual": "1.2.9", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:04:37.744Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in raratheme Bakes And Cakes bakes-and-cakes allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Bakes And Cakes: from n/a through <= 1.2.9.</p>"}], "value": "Missing Authorization vulnerability in raratheme Bakes And Cakes bakes-and-cakes allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Bakes And Cakes: from n/a through <= 1.2.9."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:51:57.611Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/bakes-and-cakes/vulnerability/wordpress-bakes-and-cakes-theme-1-2-9-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Bakes And Cakes theme <= 1.2.9 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-13T19:23:13.772956Z", "id": "CVE-2026-32339", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T19:23:36.573Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-32339", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-13T19:23:13.772956Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T19:22:40.504Z"}}], "cna": {"title": "WordPress Bakes And Cakes theme <= 1.2.9 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "affected": [{"vendor": "raratheme", "product": "Bakes And Cakes", "versions": [{"status": "affected", "changes": [{"at": "1.3.0", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "<= 1.2.9"}], "packageName": "bakes-and-cakes", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-03-13T12:41:16.568Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/bakes-and-cakes/vulnerability/wordpress-bakes-and-cakes-theme-1-2-9-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in raratheme Bakes And Cakes bakes-and-cakes allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Bakes And Cakes: from n/a through <= 1.2.9.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in raratheme Bakes And Cakes bakes-and-cakes allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Bakes And Cakes: from n/a through <= 1.2.9.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-13T11:41:56.845Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32339", "state": "PUBLISHED", "dateUpdated": "2026-03-13T19:23:36.573Z", "dateReserved": "2026-03-12T11:10:35.808Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-13T11:41:56.845Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in raratheme Bakes And Cakes bakes-and-cakes allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Bakes And Cakes: from n/a through <= 1.2.9."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en raratheme Bakes And Cakes bakes-and-cakes permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a Bakes And Cakes: desde n/a hasta &lt;= 1.2.9."}], "id": "CVE-2026-32339", "lastModified": "2026-04-22T21:30:26.497", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-13T19:54:44.877", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/bakes-and-cakes/vulnerability/wordpress-bakes-and-cakes-theme-1-2-9-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.2.9]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Bakes And Cakes", "source": "cna", "vendor": "raratheme"}, "product": "bakes_and_cakes", "vendor": "raratheme"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-19T15:01:51.836152+00:00", "value": {"mitigation_remediation": ["Upgrade raratheme Bakes And Cakes theme to version 1.3 or later (if available).", "If an upgrade is not yet available, disable or remove the theme until a patched version is released.", "Verify that access controls are properly enforced by testing user roles after the update."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "Vendor raratheme Bakes And Cakes theme, versions up to and including 1.2.9 are affected", "description_and_impact": "Missing Authorization vulnerability in raratheme Bakes And Cakes allows attackers to bypass configured access control and perform actions that should be restricted, leading to unauthorized data access or modification. The weakness is a classic missing authorization flaw (CWE\u2011862).", "risk_and_exploitability": "The vulnerability has a CVSS score of 5.3 and an EPSS score below 1\u202f%. It is not listed in CISA\u2019s KEV catalog. Based on the description, the likely attack vector is through the WordPress web interface, where an unauthenticated or insufficiently privileged user can invoke protected functionality. An attacker who can reach the theme\u2019s endpoints could gain unauthorized access to site data or administrative functions, depending on the level of access required by those endpoints."}}}}, "created": "2026-03-16T09:37:29.567452+00:00", "updated": "2026-03-23T09:59:16.020227+00:00", "vendors": ["raratheme", "raratheme$PRODUCT$bakes_and_cakes", "wordpress", "wordpress$PRODUCT$wordpress"]}