CVE-2026-32565

Vulnerability

Overview The Contextual Related Posts plugin for WordPress versions prior to 4.2.2 suffers from a missing authorization vulnerability. The plugin fails to properly enforce access control checks, allowing unauthenticated users to trigger functions that should require higher privileges [1]. This is classified as a Broken Access Control issue.

Exploitation

An attacker can exploit this vulnerability by sending specially crafted HTTP requests to the WordPress site without any authentication. The missing authorization check means that no valid nonce or capability verification is performed, enabling unprivileged users to execute actions reserved for administrators or other roles [1]. The vulnerability is particularly concerning because it can be leveraged in mass-exploit campaigns targeting thousands of sites simultaneously.

Impact

Successful exploitation could allow an attacker to perform unauthorized actions, such as modifying plugin settings or accessing restricted data. While the CVSS score is 5.3 (Medium), the ease of exploitation and potential for automated attacks increases the risk [1].

Mitigation

The vulnerability has been patched in version 4.2.2 of the plugin. Users are strongly advised to update immediately. Patchstack users can enable auto-updates for vulnerable plugins. No workaround is available; updating is the only recommended solution [1].