CVE-2026-32378 identifies a Missing Authorization vulnerability in the raratheme Book Landing Page plugin, specifically affecting versions up to and including 1.2.7. The vulnerability arises from incorrectly configured access control security levels, which means that the plugin fails to properly verify whether a user has the necessary permissions before granting access to certain resources or functionalities. This type of vulnerability is critical because it can allow unauthorized users to bypass intended restrictions, potentially exposing sensitive data or enabling unauthorized actions within the affected plugin's scope. The Book Landing Page plugin is typically used on WordPress sites to create and manage book-related landing pages, often involving customer interactions or content management. The lack of proper authorization checks can lead to confidentiality breaches or unauthorized modifications. Although no CVSS score has been assigned, the nature of the vulnerability suggests a significant security risk. No patches or fixes have been officially published at the time of this report, and no known exploits have been observed in the wild. The vulnerability was reserved and published in March 2026 by Patchstack, a known security vendor specializing in WordPress plugin vulnerabilities. Organizations using this plugin should monitor for updates and assess their exposure promptly.

The impact of CVE-2026-32378 can be substantial for organizations using the affected Book Landing Page plugin. Unauthorized access due to missing authorization can lead to exposure of sensitive information, unauthorized content modification, or manipulation of user interactions on landing pages. This can damage organizational reputation, result in data breaches, and potentially facilitate further attacks if attackers leverage the unauthorized access to pivot within the network. Since the plugin is used in WordPress environments, which are widely deployed globally, the scope of affected systems is broad. The absence of authentication requirements for exploitation increases the risk, making it easier for attackers to exploit the vulnerability remotely. The integrity and confidentiality of data managed by the plugin are primarily at risk, while availability impact is likely limited unless attackers use the access to disrupt services. Organizations in sectors relying heavily on digital marketing, e-commerce, or publishing are particularly vulnerable due to the plugin’s typical use cases.

To mitigate the risks posed by CVE-2026-32378, organizations should take the following specific actions: 1) Immediately audit the access control configurations of the Book Landing Page plugin to identify any unauthorized access paths. 2) Restrict plugin access to trusted users and roles until an official patch is released. 3) Monitor web server and application logs for unusual access patterns or attempts to exploit the plugin. 4) Implement web application firewall (WAF) rules to block suspicious requests targeting the plugin endpoints. 5) Engage with the plugin vendor or community to obtain updates or patches as soon as they become available. 6) Consider temporarily disabling the plugin if it is not critical to operations or if the risk is deemed unacceptable. 7) Educate site administrators on the importance of least privilege principles and regularly review user permissions related to the plugin. 8) Employ security scanning tools specialized in WordPress plugin vulnerabilities to detect similar issues proactively.