Access Control Misconfiguration in Envo Extra Plugin by EnvoThemes
CVE-2026-32386

5.4MEDIUM

Key Information:

Vendor: WordPress
Status: Envo Extra
Vendor: CVE Published:; 13 March 2026

What is CVE-2026-32386?

The Envo Extra plugin, developed by EnvoThemes, contains a vulnerability that arises from improper authorization controls. This oversight permits unauthorized users to exploit the incorrect configuration of access levels, potentially leading to unauthorized access to sensitive functionalities. The affected versions, including all prior to and including 1.9.13, need immediate attention and updates to mitigate risks associated with this access control misconfiguration.

Affected Version(s)

Envo Extra 0 <= 1.9.13

References

https://patchstack.com/database/Wordpress/Plugin/envo-ext...

vdb-entry

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 13, 2026
Vulnerability Reserved
Mar 12, 2026

Credit

Jakub Herman | Patchstack Bug Bounty Program

CVE-2026-32386 Data

JSON