CVE-2026-32417

Vulnerability

Overview The Pochipp plugin for WordPress contains a missing authorization vulnerability, meaning it fails to properly verify user permissions before executing certain actions. This flaw allows unprivileged attackers to exploit incorrectly configured access control security levels. The issue affects all versions of Pochipp from n/a through 1.18.8 [1].

Exploitation

An attacker can exploit this vulnerability by sending crafted requests to the plugin's endpoints without appropriate authentication or nonce checks. No special network access is required; the attack can be performed remotely. Since the plugin may be used on thousands of sites, attackers can target them in mass-exploit campaigns [1].

Impact

Successful exploitation could allow an attacker to perform actions reserved for higher-privileged users, such as modifying plugin settings or data. The CVSS score of 5.4 (Medium) indicates a moderate risk, though the actual impact depends on the specific functionality exposed [1].

Mitigation

The vendor has released version 1.18.9, which addresses the missing authorization issue. Users are strongly advised to update immediately. Patchstack recommends enabling auto-updates for vulnerable plugins to receive future fixes promptly [1]. If updating is not possible, consult a hosting provider or web developer for assistance.