{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32372", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-12T11:10:59.411Z", "datePublished": "2026-03-13T11:42:06.960Z", "dateUpdated": "2026-04-29T09:51:57.968Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "shopbuilder", "product": "ShopBuilder \u2013 Elementor WooCommerce Builder Addons", "vendor": "RadiusTheme", "versions": [{"changes": [{"at": "3.2.5", "status": "unaffected"}], "lessThanOrEqual": "3.2.4", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Bao - BlueRock | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:04:50.246Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in RadiusTheme ShopBuilder \u2013 Elementor WooCommerce Builder Addons shopbuilder allows Retrieve Embedded Sensitive Data.<p>This issue affects ShopBuilder \u2013 Elementor WooCommerce Builder Addons: from n/a through <= 3.2.4.</p>"}], "value": "Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in RadiusTheme ShopBuilder \u2013 Elementor WooCommerce Builder Addons shopbuilder allows Retrieve Embedded Sensitive Data.This issue affects ShopBuilder \u2013 Elementor WooCommerce Builder Addons: from n/a through <= 3.2.4."}], "impacts": [{"capecId": "CAPEC-37", "descriptions": [{"lang": "en", "value": "Retrieve Embedded Sensitive Data"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-497", "description": "Exposure of Sensitive System Information to an Unauthorized Control Sphere", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:51:57.968Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/shopbuilder/vulnerability/wordpress-shopbuilder-elementor-woocommerce-builder-addons-plugin-3-2-4-sensitive-data-exposure-vulnerability?_s_id=cve"}], "title": "WordPress ShopBuilder \u2013 Elementor WooCommerce Builder Addons plugin <= 3.2.4 - Sensitive Data Exposure vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-17T13:36:27.849027Z", "id": "CVE-2026-32372", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-17T13:36:40.124Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-32372", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-17T13:36:27.849027Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-17T13:36:23.385Z"}}], "cna": {"title": "WordPress ShopBuilder \u2013 Elementor WooCommerce Builder Addons plugin <= 3.2.4 - Sensitive Data Exposure vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Bao - BlueRock | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-37", "descriptions": [{"lang": "en", "value": "Retrieve Embedded Sensitive Data"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "RadiusTheme", "product": "ShopBuilder \u2013 Elementor WooCommerce Builder Addons", "versions": [{"status": "affected", "changes": [{"at": "3.2.5", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "3.2.4"}], "packageName": "shopbuilder", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:04:50.246Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/shopbuilder/vulnerability/wordpress-shopbuilder-elementor-woocommerce-builder-addons-plugin-3-2-4-sensitive-data-exposure-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in RadiusTheme ShopBuilder \u2013 Elementor WooCommerce Builder Addons shopbuilder allows Retrieve Embedded Sensitive Data.This issue affects ShopBuilder \u2013 Elementor WooCommerce Builder Addons: from n/a through <= 3.2.4.", "supportingMedia": [{"type": "text/html", "value": "Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in RadiusTheme ShopBuilder \u2013 Elementor WooCommerce Builder Addons shopbuilder allows Retrieve Embedded Sensitive Data.<p>This issue affects ShopBuilder \u2013 Elementor WooCommerce Builder Addons: from n/a through <= 3.2.4.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-497", "description": "Exposure of Sensitive System Information to an Unauthorized Control Sphere"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:51:57.968Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32372", "state": "PUBLISHED", "dateUpdated": "2026-04-29T09:51:57.968Z", "dateReserved": "2026-03-12T11:10:59.411Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-13T11:42:06.960Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in RadiusTheme ShopBuilder \u2013 Elementor WooCommerce Builder Addons shopbuilder allows Retrieve Embedded Sensitive Data.This issue affects ShopBuilder \u2013 Elementor WooCommerce Builder Addons: from n/a through <= 3.2.4."}, {"lang": "es", "value": "Vulnerabilidad de exposici\u00f3n de informaci\u00f3n sensible del sistema a una esfera de control no autorizada en RadiusTheme ShopBuilder \u2013 Elementor WooCommerce Builder Addons shopbuilder permite recuperar datos sensibles incrustados. Este problema afecta a ShopBuilder \u2013 Elementor WooCommerce Builder Addons: desde n/a hasta &lt;= 3.2.4."}], "id": "CVE-2026-32372", "lastModified": "2026-04-22T21:30:26.497", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-13T19:54:51.673", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/shopbuilder/vulnerability/wordpress-shopbuilder-elementor-woocommerce-builder-addons-plugin-3-2-4-sensitive-data-exposure-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-497"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.2.4]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "3.2.5"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "ShopBuilder \u2013 Elementor WooCommerce Builder Addons", "source": "cna", "vendor": "RadiusTheme"}, "product": "shopbuilder_\u2013_elementor_woocommerce_builder_addons", "vendor": "radiustheme"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-17T17:21:33.230295+00:00", "value": {"mitigation_remediation": ["Verify the current ShopBuilder plugin version.", "Upgrade the RadiusTheme ShopBuilder \u2013 Elementor WooCommerce Builder Addons to a version newer than 3.2.4 if available.", "If no update is available, consider disabling or removing the plugin until a patch is released.", "Restrict access to the WordPress admin area to trusted users as an additional precaution.", "Monitor the vendor's official channels for patch releases or temporary fixes."], "summary": {"action": "Apply Patch", "impact": "Sensitive Data Exposure"}, "threat_synthesis": {"affected_systems": "Affected systems are WordPress installations that include the RadiusTheme ShopBuilder \u2013 Elementor WooCommerce Builder Addons plugin from its initial release through version 3.2.4, as specified by vendor documentation. Any site using these versions is susceptible to the data exposure if the plugin is active. Key detail from vendor documentation: all releases from n/a through <= 3.2.4 are affected.", "description_and_impact": "The RadiusTheme ShopBuilder \u2013 Elementor WooCommerce Builder Addons plugin (versions <= 3.2.4) contains a flaw that enables retrieval of embedded sensitive system information, allowing attackers to expose confidential data within a WordPress site. Key detail from vendor description: the plugin can expose sensitive system information to an unauthorized control sphere, categorized as CWE-497. This vulnerability compromises confidentiality by exposing embedded sensitive data to anyone who can trigger the flaw.", "risk_and_exploitability": "The severity rating per CVSS is 5.3, indicating moderate difficulty in exploitation, while the EPSS score is less than 1%, suggesting a low likelihood of real-world exploitation. Key detail from scoring data: the vulnerability is not listed in the CISA KEV catalog. The description does not explicitly state an authentication requirement, so based on the description it is inferred that an attacker could potentially exploit the flaw via publicly accessible plugin endpoints or through administrative access to the WordPress backend, exposing confidential information."}}}}, "created": "2026-03-16T09:34:36.555295+00:00", "updated": "2026-03-23T12:05:14.808670+00:00", "vendors": ["radiustheme", "radiustheme$PRODUCT$shopbuilder_\u2013_elementor_woocommerce_builder_addons", "wordpress", "wordpress$PRODUCT$wordpress"]}