{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32440", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-12T11:11:35.693Z", "datePublished": "2026-03-13T11:42:19.810Z", "dateUpdated": "2026-04-29T09:51:59.644Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://elements.envato.com", "defaultStatus": "unaffected", "packageName": "wp-food", "product": "WP Food", "vendor": "Ex-Themes", "versions": [{"changes": [{"at": "2.7.1", "status": "unaffected"}], "lessThanOrEqual": "2.7.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "benzdeus | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:06:12.507Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Ex-Themes WP Food wp-food allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects WP Food: from n/a through < 2.7.1.</p>"}], "value": "Missing Authorization vulnerability in Ex-Themes WP Food wp-food allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Food: from n/a through < 2.7.1."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:51:59.644Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/wp-food/vulnerability/wordpress-wp-food-plugin-2-7-1-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress WP Food plugin < 2.7.1 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-13T15:40:13.603253Z", "id": "CVE-2026-32440", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T15:40:37.844Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-32440", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-13T15:40:13.603253Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T15:39:26.596Z"}}], "cna": {"title": "WordPress WP Food plugin < 2.7.1 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "benzdeus | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "affected": [{"vendor": "Ex-Themes", "product": "WP Food", "versions": [{"status": "affected", "changes": [{"at": "2.7.1", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "< 2.7.1"}], "packageName": "wp-food", "collectionURL": "https://elements.envato.com", "defaultStatus": "unaffected"}], "datePublic": "2026-03-13T12:41:23.393Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/wp-food/vulnerability/wordpress-wp-food-plugin-2-7-1-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Ex-Themes WP Food wp-food allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Food: from n/a through < 2.7.1.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in Ex-Themes WP Food wp-food allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects WP Food: from n/a through < 2.7.1.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-13T11:42:19.810Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32440", "state": "PUBLISHED", "dateUpdated": "2026-03-13T15:40:37.844Z", "dateReserved": "2026-03-12T11:11:35.693Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-13T11:42:19.810Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Ex-Themes WP Food wp-food allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Food: from n/a through < 2.7.1."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en Ex-Themes WP Food wp-food permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a WP Food: desde n/a hasta &lt; 2.7.1."}], "id": "CVE-2026-32440", "lastModified": "2026-04-22T21:30:26.497", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-13T19:55:04.473", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/wp-food/vulnerability/wordpress-wp-food-plugin-2-7-1-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.7.1)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[2.7.1,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "WP Food", "source": "cna", "vendor": "Ex-Themes"}, "product": "wp_food", "vendor": "ex-themes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-19T15:13:17.493313+00:00", "value": {"mitigation_remediation": ["Upgrade the WP Food plugin to version 2.7.1 or later.", "Verify that the plugin has been updated to the patched version.", "If an update is not immediately feasible, restrict access to the plugin\u2019s administrative pages or disable the plugin until a patch can be applied.", "Monitor site logs for any unauthorized or anomalous activity related to the WP Food plugin."], "summary": {"action": "Apply Patch", "impact": "Broken Access Control"}, "threat_synthesis": {"affected_systems": "All installations of the WP Food plugin from the earliest releases up to, but not including, version 2.7.1 are affected.", "description_and_impact": "The vulnerability is a missing authorization flaw in Ex-Themes WP Food that allows an attacker to exploit incorrectly configured access control security levels. The issue can be classified under CWE-862 and results in unauthorized access to plugin features or data, potentially enabling data disclosure or modification.", "risk_and_exploitability": "The CVSS score is 5.3, indicating a moderate severity. The EPSS score is below 1%, suggesting a low probability of exploitation currently. The vulnerability has not been listed in the CISA KEV catalog. Given that it is a broken access control flaw, an attacker would likely need authenticated access to the WordPress site's backend or the plugin's interface, but no special privileges are required beyond that. Because the exploit path is straightforward and the EPSS is low, the overall risk is considered moderate, yet administrators should still remediate promptly."}}}}, "created": "2026-03-16T09:33:25.977324+00:00", "updated": "2026-03-23T12:03:24.046307+00:00", "vendors": ["ex-themes", "ex-themes$PRODUCT$wp_food", "wordpress", "wordpress$PRODUCT$wordpress"]}