Cyber Posture

CVE-2026-32441

High

Published: 25 March 2026

Published
25 March 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score 7.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
EPSS Score 0.0004 11.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-32441 is a high-severity Missing Authorization (CWE-862) vulnerability. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match
prevent

Directly enforces approved authorizations to prevent low-privilege authenticated users from exploiting missing authorization checks in the plugin.

AC-6 Least Privilege good match
prevent

Applies least privilege to ensure low-privilege users cannot perform high-impact denial-of-service actions enabled by the vulnerability.

SC-5 Denial-of-service Protection partial match
prevent

Limits the effects of denial-of-service conditions resulting from the scope-changing availability impact of the missing authorization flaw.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

Broken access control (CWE-862) in public-facing WordPress plugin allows low-privileged remote authenticated users to trigger resource exhaustion/DoS; directly enables T1190 for initial exploitation of the exposed application and T1499.004 for achieving availability impact via application-level exploitation.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Missing Authorization vulnerability in WebToffee Comments Import & Export comments-import-export-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Comments Import & Export: from n/a through <= 2.4.9.

Deeper analysisAI

CVE-2026-32441 is a missing authorization vulnerability, classified under CWE-862, in the WebToffee Comments Import & Export plugin (comments-import-export-woocommerce) for WordPress. The flaw enables exploiting incorrectly configured access control security levels and affects all versions of the plugin up to and including 2.4.9.

Attackers with low privileges, such as authenticated users, can exploit this vulnerability remotely over the network with low complexity and no user interaction required. The CVSS v3.1 base score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H) indicates a high availability impact with a changed scope, potentially allowing denial-of-service conditions.

Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/comments-import-export-woocommerce/vulnerability/wordpress-comments-import-export-plugin-2-4-9-broken-access-control-vulnerability?_s_id=cve.

Details

CWE(s)
CWE-862

CVEs Like This One

CVE-2026-0490Shared CWE-862
CVE-2026-31921Shared CWE-862
CVE-2026-27388Shared CWE-862
CVE-2025-69340Shared CWE-862
CVE-2026-25317Shared CWE-862
CVE-2024-13655Shared CWE-862
CVE-2026-25242Shared CWE-862
CVE-2026-30970Shared CWE-862
CVE-2025-67974Shared CWE-862
CVE-2026-28254Shared CWE-862

References