CVE-2026-32421

Vulnerability

Overview The Post Timeline plugin for WordPress contains a Missing Authorization vulnerability in versions up to and including 2.4.1. This bug stems from incorrectly configured access control security levels, meaning the plugin fails to properly check user permissions before allowing access to certain functions. The issue is classified as a Broken Access Control vulnerability, where a missing authorization, authentication, or nonce token check may allow unprivileged users to perform higher-privileged actions. [1]

Exploitation

Scenario An attacker can exploit this vulnerability without needing authentication, as the access control mechanism is bypassed. The attack surface is wide because the plugin is commonly used on WordPress sites, and mass-exploit campaigns routinely target such weaknesses. The absence of a nonce or capability check means any visitor to a site running the affected plugin could potentially trigger privileged operations. [1]

Impact

Successful exploitation could allow an attacker to modify timeline data or perform other actions intended only for administrators, depending on which functions lack authorization checks. While the official advisory rates the severity as Medium (CVSS v3 5.3), it notes the impact is low severity and exploitation is unlikely in most scenarios. However, unpatched sites remain at risk of automated attacks that scan for this specific weakness. [1]

Mitigation

The vendor has released version 2.4.2 which resolves the vulnerability. All users are strongly advised to update immediately. For those unable to update, the recommended action is to contact your hosting provider or web developer. Patchstack users can enable auto-updates for vulnerable plugins to ensure protection. [1]