CVE-2026-32394

Vulnerability Overview The PublishPress Capabilities plugin for WordPress (versions up to 2.31.0) suffers from a missing authorization vulnerability. This means that certain functions or API endpoints within the plugin do not properly verify whether the requesting user has the necessary permissions. As a result, the plugin's access control mechanisms can be bypassed, allowing unauthorized actions [1].

Exploitation An attacker can exploit this flaw without needing high-level privileges. The vulnerability is classified as a broken access control issue, where an unprivileged user can execute actions that should be reserved for administrators or other higher-privileged roles. The reference notes that such vulnerabilities are commonly used in mass-exploit campaigns, targeting thousands of websites simultaneously [1].

Impact Successful exploitation could allow an attacker to modify user capabilities, escalate their own privileges, or perform other administrative actions, potentially leading to full site compromise. The CVSS score of 4.3 (Medium) reflects the moderate severity, but the ease of exploitation and prevalence of automated attacks increase the real-world risk [1].

Mitigation The vulnerability has been addressed in version 2.32.0 of the plugin. Users are strongly advised to update immediately. Patchstack users can enable auto-updates for vulnerable plugins to ensure timely patching [1].