{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32363", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-12T11:10:53.774Z", "datePublished": "2026-03-13T11:42:05.330Z", "dateUpdated": "2026-04-29T09:51:57.912Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "free-php-version-info", "product": "WPLifeCycle", "vendor": "Funlus Oy", "versions": [{"changes": [{"at": "4.0", "status": "unaffected"}], "lessThanOrEqual": "3.3.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Legion Hunter | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:04:48.875Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Funlus Oy WPLifeCycle free-php-version-info allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects WPLifeCycle: from n/a through <= 3.3.1.</p>"}], "value": "Missing Authorization vulnerability in Funlus Oy WPLifeCycle free-php-version-info allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPLifeCycle: from n/a through <= 3.3.1."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:51:57.912Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/free-php-version-info/vulnerability/wordpress-wplifecycle-plugin-3-3-1-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress WPLifeCycle plugin <= 3.3.1 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-32363", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-13T20:34:28.805154Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T20:44:10.738Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-32363", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-13T20:34:28.805154Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T20:34:29.435Z"}}], "cna": {"title": "WordPress WPLifeCycle plugin <= 3.3.1 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Legion Hunter | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Funlus Oy", "product": "WPLifeCycle", "versions": [{"status": "affected", "changes": [{"at": "4.0", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "3.3.1"}], "packageName": "free-php-version-info", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:04:48.875Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/free-php-version-info/vulnerability/wordpress-wplifecycle-plugin-3-3-1-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Funlus Oy WPLifeCycle free-php-version-info allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPLifeCycle: from n/a through <= 3.3.1.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in Funlus Oy WPLifeCycle free-php-version-info allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects WPLifeCycle: from n/a through <= 3.3.1.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:51:57.912Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32363", "state": "PUBLISHED", "dateUpdated": "2026-04-29T09:51:57.912Z", "dateReserved": "2026-03-12T11:10:53.774Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-13T11:42:05.330Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Funlus Oy WPLifeCycle free-php-version-info allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPLifeCycle: from n/a through <= 3.3.1."}, {"lang": "es", "value": "Vulnerabilidad por falta de autorizaci\u00f3n en Funlus Oy WPLifeCycle free-php-version-info permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a WPLifeCycle: desde n/a hasta &lt;= 3.3.1."}], "id": "CVE-2026-32363", "lastModified": "2026-04-22T21:30:26.497", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-13T19:54:50.317", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/free-php-version-info/vulnerability/wordpress-wplifecycle-plugin-3-3-1-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.3.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "WPLifeCycle", "source": "cna", "vendor": "Funlus Oy"}, "product": "wplifecycle", "vendor": "funlus_oy"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-19T14:58:10.330004+00:00", "value": {"mitigation_remediation": ["Check for an updated version of the WPLifeCycle plugin on the vendor\u2019s website and install it if available.", "Restrict access to the plugin\u2019s administrative pages or disable the free\u2011php-version-info endpoint if possible.", "Keep WordPress core and all plugins up\u2011to\u2011date, use a Web Application Firewall, and monitor logs for suspicious activity.", "If no update is available, consider disabling or removing the plugin to eliminate the vulnerability."], "summary": {"action": "Assess Impact", "impact": "Unauthorized Access"}, "threat_synthesis": {"affected_systems": "Affected products include the Funlus Oy WPLifeCycle WordPress plugin for all versions from the earliest release through version 3.3.1. The vulnerable code resides in the free\u2011php-version-info endpoint, so any installation of the plugin up to and including 3.3.1 is impacted. No specific revision numbers are listed, but the issue applies to the entire range of affected versions.", "description_and_impact": "The vulnerability is a missing authorization flaw in the Funlus Oy WPLifeCycle WordPress plugin\u2019s free\u2011php-version-info functionality, which allows attackers to exploit incorrectly configured access controls. Key detail from CVE description: \"Missing Authorization vulnerability in Funlus Oy WPLifeCycle free-php-version-info allows Exploiting Incorrectly Configured Access Control Security Levels.\" This broken access control (CWE\u2011862) means an unauthenticated or poorly authenticated user can access privileged operations or sensitive information that should be protected, potentially leading to data exposure or unauthorized actions within the WordPress site.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate risk, while the EPSS score of less than 1% shows low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is through remote HTTP requests to the free\u2011php-version-info endpoint, and the exploit requires the ability to interact with the WordPress site, possibly requiring an authenticated user with limited privileges. Because the problem is a broken access control, an attacker could gain unauthorized access to sensitive information or functionality if the endpoint is exposed."}}}}, "created": "2026-03-16T09:34:44.645258+00:00", "updated": "2026-03-23T09:58:54.634153+00:00", "vendors": ["funlus_oy", "funlus_oy$PRODUCT$wplifecycle", "wordpress", "wordpress$PRODUCT$wordpress"]}