CVE-2026-32420

The GamiPress plugin for WordPress (versions up to and including 7.6.6) contains a Cross-Site Request Forgery (CSRF) vulnerability. This issue arises from insufficient validation of requests, allowing an attacker to trick an authenticated administrator (or other privileged user) into performing unwanted actions while their session is active [1].

Exploitation requires user interaction: the victim must click a malicious link, visit a crafted page, or submit a form. No direct authentication is needed for the attacker, but the target must be logged into the site with sufficient privileges. This is typical of CSRF attacks, which leverage the victim's active session to forge requests [1].

If successfully exploited, an attacker can force the victim to execute actions under their current authentication, such as changing settings, modifying user roles, or performing other administrative operations. The CVSS score of 5.4 (Medium) reflects the requirement for user interaction and the potential for limited impact [1].

The vulnerability has been patched in GamiPress version 7.6.7. Users are advised to update immediately. For those unable to update, contacting the hosting provider or web developer for assistance is recommended. The patch is available via the WordPress plugin repository, and auto-updates are suggested for Patchstack users [1].