CVE-2026-32339 identifies a missing authorization vulnerability in the raratheme Bakes And Cakes plugin, specifically affecting versions up to and including 1.2.9. The vulnerability arises from incorrectly configured access control security levels, which means that certain operations or data that should be restricted to authorized users can be accessed or manipulated by unauthorized actors. This type of flaw typically occurs when the plugin fails to properly verify user permissions before allowing actions, leading to privilege escalation or unauthorized data exposure. Although the exact technical details such as the affected endpoints or functions are not provided, the core issue is an access control bypass. The vulnerability was reserved and published in March 2026, but no CVSS score or patches have been released yet, and no known exploits have been observed in the wild. The plugin is likely used in WordPress environments for bakery or e-commerce websites, where unauthorized access could compromise business operations or customer data. The lack of a CVSS score requires an assessment based on the potential impact and exploitability, which suggests a high severity due to the direct bypass of authorization controls without requiring authentication or complex user interaction.

The primary impact of this vulnerability is unauthorized access to restricted functionality or data within websites using the Bakes And Cakes plugin. This could lead to data leakage, unauthorized modification of content, or manipulation of business-critical operations such as order processing or customer information management. For organizations, this translates into potential data breaches, loss of customer trust, reputational damage, and possible regulatory compliance violations if personal data is exposed. The absence of authentication requirements for exploitation increases the risk, as attackers can potentially exploit this vulnerability remotely without valid credentials. The scope is limited to websites using the affected plugin versions, but given the widespread use of WordPress and e-commerce plugins, the potential attack surface is significant. The lack of known exploits currently reduces immediate risk but does not eliminate the threat, especially once exploit code becomes available. Organizations relying on this plugin for online sales or customer engagement are particularly vulnerable to operational disruption and data integrity issues.

1. Immediately review and restrict access control settings within the Bakes And Cakes plugin to ensure that only authorized users can perform sensitive actions. 2. Monitor website logs for unusual access patterns or unauthorized attempts to access restricted functionality. 3. If possible, temporarily disable or replace the Bakes And Cakes plugin until an official patch or update is released by raratheme. 4. Implement web application firewall (WAF) rules to detect and block suspicious requests targeting the plugin’s endpoints. 5. Conduct a thorough security audit of all plugins and themes to identify similar access control weaknesses. 6. Educate site administrators on the importance of least privilege principles and regularly review user permissions. 7. Stay informed through official vendor channels and security advisories for patch releases or additional guidance. 8. Consider deploying multi-factor authentication (MFA) for administrative access to reduce the risk of unauthorized exploitation. 9. Backup website data regularly to enable quick recovery in case of compromise. 10. Engage with security professionals to perform penetration testing focused on access control vulnerabilities.