CVE-2026-32413

Vulnerability

Description

The Permalink Manager Lite plugin for WordPress, versions before 2.5.3, contains a missing authorization vulnerability. This flaw arises from a broken access control mechanism, where certain functions lack proper authorization, authentication, or nonce token checks [1]. As a result, an unprivileged user can execute actions that should require higher privileges.

Exploitation

An attacker who has access to the WordPress site (e.g., as a subscriber or contributor) can exploit this vulnerability without needing authentication beyond their current level. The attack surface is low, and no special network position is required. The vulnerability is classified as a broken access control issue, common in mass-exploit campaigns targeting thousands of websites [1].

Impact

Successful exploitation could allow an attacker to perform actions reserved for higher-privileged users, potentially leading to unauthorized changes to permalinks or other settings. The CVSS score of 5.3 (Medium) indicates a moderate impact on confidentiality, integrity, or availability [1].

Mitigation

The vulnerability is patched in version 2.5.3 of the plugin. Users are strongly advised to update immediately. For those unable to update, contacting a hosting provider or web developer for assistance is recommended. Auto-updates can be enabled for vulnerable plugins via Patchstack [1].