CVE-2026-32495 identifies a missing authorization vulnerability in the WP Terms Popup plugin developed by Link Software LLC, affecting all versions up to 2.10.0. The vulnerability arises from improperly configured access control mechanisms within the plugin, which is designed to manage terms and conditions popups on WordPress sites. Due to this misconfiguration, unauthorized users can bypass intended security checks, potentially allowing them to perform actions or access resources that should be restricted. The vulnerability does not require authentication or user interaction, increasing its exploitability. While no public exploits have been reported, the flaw could be leveraged to manipulate popup behavior, alter terms acceptance records, or interfere with site compliance features. The lack of a CVSS score means severity must be inferred from the nature of the vulnerability: missing authorization is a critical security lapse that can compromise confidentiality and integrity of site operations. The vulnerability affects a widely used content management system plugin, increasing the scope and potential impact. The issue was published on March 25, 2026, with no available patches at the time, highlighting the urgency for mitigation measures.

The missing authorization vulnerability in WP Terms Popup can lead to unauthorized access and manipulation of plugin functionality, undermining the integrity and confidentiality of site compliance data. Attackers could potentially bypass user consent mechanisms, alter terms acceptance records, or disrupt the display and enforcement of terms and conditions popups. This could expose organizations to legal and regulatory risks, especially those relying on such plugins for GDPR or other compliance requirements. The vulnerability may also be used as a foothold for further attacks within the WordPress environment, potentially leading to broader site compromise. Given WordPress's extensive global usage, the impact could be widespread, affecting websites ranging from small businesses to large enterprises. The absence of authentication requirements and user interaction lowers the barrier for exploitation, increasing the threat level. Although no active exploits are known, the vulnerability represents a significant risk until patched.

1. Immediately restrict access to the WP Terms Popup plugin endpoints using web application firewalls (WAFs) or server-level access controls to limit exposure to unauthorized users. 2. Monitor web server and application logs for unusual or unauthorized requests targeting the plugin's functionality. 3. Disable or deactivate the WP Terms Popup plugin if it is not essential, until a security patch is released. 4. Engage with Link Software LLC or trusted security sources to obtain updates or patches as soon as they become available. 5. Implement strict role-based access controls (RBAC) within WordPress to minimize the number of users who can interact with plugin settings or data. 6. Conduct regular security audits and vulnerability scans focusing on WordPress plugins and their configurations. 7. Educate site administrators about the risks of missing authorization vulnerabilities and the importance of timely updates. 8. Consider alternative plugins with verified security track records if immediate patching is not feasible.