CVE-2026-32515
Published: 25 March 2026
Summary
CVE-2026-32515 is a high-severity Missing Authorization (CWE-862) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-32515 is a missing authorization vulnerability (CWE-862) in the Miraculous WordPress theme developed by kamleshyadav. The flaw allows exploitation of incorrectly configured access control security levels. It affects all versions of the Miraculous theme from n/a through those prior to 2.1.2. The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high severity due to its network accessibility and potential for significant confidentiality impact.
An unauthenticated attacker (PR:N) can exploit this vulnerability remotely over the network (AV:N) with low complexity (AC:L) and without requiring user interaction (UI:N). Successful exploitation enables the attacker to access sensitive data (C:H), though it does not impact integrity or availability.
The Patchstack advisory for this WordPress theme vulnerability recommends updating to version 2.1.2 or later, where the broken access control issue has been addressed.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-15874
Vulnerability details
Missing Authorization vulnerability in kamleshyadav Miraculous miraculous allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Miraculous: from n/a through < 2.1.2.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization flaw in public-facing WordPress theme directly enables remote unauthenticated exploitation for sensitive data access (T1190: Exploit Public-Facing Application).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations for access to information and system resources, directly preventing exploitation of the missing authorization vulnerability in the Miraculous WordPress theme.
Identifies, reports, and corrects flaws like the missing authorization in Miraculous versions prior to 2.1.2 by applying timely patches.
Establishes and enforces secure configuration settings for access controls, mitigating exploitation of incorrectly configured security levels in the WordPress theme.