CVE-2026-32514

The Petitioner WordPress plugin, versions 0.7.3 and earlier, contains a missing authorization vulnerability. The root cause is a broken access control issue where the plugin fails to properly check user permissions or nonce tokens before executing certain functions, allowing unprivileged users to perform actions intended for higher-privileged roles [1].

Exploitation does not require authentication; an attacker can send crafted requests to trigger the vulnerable functionality. This type of vulnerability is commonly used in mass-exploit campaigns targeting thousands of websites simultaneously, regardless of site size or traffic [1].

Successful exploitation could allow an attacker to modify plugin settings, access sensitive data, or perform other unauthorized actions that should be restricted to administrators or other privileged users. The CVSS v3 base score of 6.5 (Medium) reflects the moderate severity and potential for widespread abuse [1].

A patched version 0.7.4 has been released by the vendor resolves the issue. Users are strongly advised to update immediately. For those unable to update, Patchstack provides a mitigation rule to block attacks until the update can be applied [1].