{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32435", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-12T11:11:30.947Z", "datePublished": "2026-03-13T11:42:18.837Z", "dateUpdated": "2026-04-29T09:51:59.351Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "vw-pet-shop", "product": "VW Pet Shop", "vendor": "vowelweb", "versions": [{"changes": [{"at": "1.4.8", "status": "unaffected"}], "lessThanOrEqual": "1.4.7", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:06:16.244Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in vowelweb VW Pet Shop vw-pet-shop allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects VW Pet Shop: from n/a through <= 1.4.7.</p>"}], "value": "Missing Authorization vulnerability in vowelweb VW Pet Shop vw-pet-shop allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects VW Pet Shop: from n/a through <= 1.4.7."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:51:59.351Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/vw-pet-shop/vulnerability/wordpress-vw-pet-shop-theme-1-4-7-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress VW Pet Shop theme <= 1.4.7 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-32435", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-13T18:46:28.887958Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T18:53:33.454Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-32435", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-13T18:46:28.887958Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T18:46:29.561Z"}}], "cna": {"title": "WordPress VW Pet Shop theme <= 1.4.7 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "affected": [{"vendor": "vowelweb", "product": "VW Pet Shop", "versions": [{"status": "affected", "changes": [{"at": "1.4.8", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "1.4.7"}], "packageName": "vw-pet-shop", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:06:16.244Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/vw-pet-shop/vulnerability/wordpress-vw-pet-shop-theme-1-4-7-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in vowelweb VW Pet Shop vw-pet-shop allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects VW Pet Shop: from n/a through <= 1.4.7.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in vowelweb VW Pet Shop vw-pet-shop allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects VW Pet Shop: from n/a through <= 1.4.7.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-01T14:16:16.403Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32435", "state": "PUBLISHED", "dateUpdated": "2026-04-01T14:16:16.403Z", "dateReserved": "2026-03-12T11:11:30.947Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-13T11:42:18.837Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in vowelweb VW Pet Shop vw-pet-shop allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects VW Pet Shop: from n/a through <= 1.4.7."}, {"lang": "es", "value": "Vulnerabilidad por falta de autorizaci\u00f3n en vowelweb VW Pet Shop vw-pet-shop permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a VW Pet Shop: desde n/a hasta &lt;= 1.4.7."}], "id": "CVE-2026-32435", "lastModified": "2026-04-29T10:17:09.930", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "audit@patchstack.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-13T19:55:03.357", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/vw-pet-shop/vulnerability/wordpress-vw-pet-shop-theme-1-4-7-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.4.7]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[1.4.8,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "VW Pet Shop", "source": "cna", "vendor": "vowelweb"}, "product": "vw_pet_shop", "vendor": "vowelweb"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-19T16:18:02.471668+00:00", "value": {"mitigation_remediation": ["Upgrade the VW Pet Shop theme to a version newer than 1.4.7, if available.", "After upgrading, verify that theme\u2011related admin interfaces and functions are only accessible by users with appropriate roles.", "If an update is not currently available, restrict direct access to vulnerable theme files by adjusting file permissions and removing any unnecessary public entry points.", "Enable logging and monitoring of unauthorized access attempts to detect potential exploitation."], "summary": {"action": "Patch Now", "impact": "Unauthorized Access"}, "threat_synthesis": {"affected_systems": "WordPress sites that have the vowelweb VW Pet Shop theme installed with a version of 1.4.7 or earlier. The affected range is \"from n/a through <= 1.4.7\", meaning all releases up to and including 1.4.7 are vulnerable.", "description_and_impact": "The vulnerability is a missing authorization flaw (CWE-862) in the vowelweb VW Pet Shop WordPress theme that allows attackers to use incorrectly configured access control security levels. This flaw can enable users with no proper privileges to invoke functions or endpoints that are intended for higher\u2011privilege roles, potentially compromising the confidentiality or integrity of site data and allowing unauthorized changes or accesses.", "risk_and_exploitability": "The CVSS score is 5.3, indicating moderate severity. The EPSS score is less than 1%, suggesting low current exploit probability. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote, via web\u2011based requests to the theme\u2019s endpoints or admin functions that should be protected. Based on the description, the vulnerability can be exploited by sending crafted HTTP requests to trigger privileged actions without proper authorization."}}}}, "created": "2026-03-16T09:33:33.389407+00:00", "updated": "2026-03-23T12:03:29.787180+00:00", "vendors": ["vowelweb", "vowelweb$PRODUCT$vw_pet_shop", "wordpress", "wordpress$PRODUCT$wordpress"]}