CVE-2026-32397

Vulnerability

Overview

The Filter & Grids plugin (ymc-smart-filter) versions up to and including 3.5.1 suffer from a missing authorization vulnerability [1]. This broken access control issue means that certain functions or endpoints do not properly verify user permissions, allowing unauthenticated or low-privileged users to access functionality that should be restricted.

Exploitation

Attackers can exploit this flaw by sending specially crafted requests to the vulnerable plugin endpoints without needing any authentication [1]. The advisory highlights that such vulnerabilities are frequently used in mass-exploit campaigns targeting thousands of WordPress sites simultaneously, regardless of their size or popularity.

Impact

Successful exploitation could allow an attacker to perform unauthorized actions, such as modifying plugin settings or accessing sensitive data, depending on the specific missing authorization. However, the CVSS score of 5.3 (Medium) and the advisory's assessment indicate a low severity impact, and exploitation is considered unlikely.

Mitigation

The vulnerability has been patched in version 3.5.2 of the plugin. Users are strongly advised to update immediately. For Patchstack users, enabling auto-update for vulnerable plugins can help ensure timely protection [1].