CVE-2026-32485
Published: 25 March 2026
Summary
CVE-2026-32485 is a high-severity Missing Authorization (CWE-862) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-32485 is a missing authorization vulnerability, classified under CWE-862, in the WP User Frontend plugin (wp-user-frontend) developed by weDevs for WordPress. The flaw enables exploitation of incorrectly configured access control security levels and affects all versions of the plugin from n/a through 4.2.8.
With a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), the vulnerability allows unauthenticated attackers to exploit it over the network with low attack complexity and no user interaction required. Successful exploitation grants high-impact access to confidential information without impacting integrity or availability.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wp-user-frontend/vulnerability/wordpress-wp-user-frontend-plugin-4-2-8-broken-access-control-vulnerability?_s_id=cve.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-15829
Vulnerability details
Missing Authorization vulnerability in weDevs WP User Frontend wp-user-frontend allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP User Frontend: from n/a through <= 4.2.8.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization (CWE-862) in public-facing WordPress plugin allows unauthenticated network attackers to access confidential data; directly maps to exploitation of public-facing applications for initial unauthorized access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
AC-3 mandates enforcement of approved authorizations for access to resources, directly countering the missing authorization checks in the WP User Frontend plugin.
SI-2 requires timely identification, reporting, and correction of flaws like this CVE, achieved by patching the vulnerable plugin versions <=4.2.8.
AC-6 applies least privilege to limit unauthorized access impact even if plugin authorization is bypassed or misconfigured.