CVE-2026-32567

The YML for Yandex Market plugin for WordPress (versions before 5.3.0) contains an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability. This flaw arises from insufficient validation of user-supplied file paths, enabling an attacker to traverse outside the intended directory and delete arbitrary files on the server [1].

Exploitation does not require authentication, making it accessible to any remote attacker. By sending specially crafted requests to the plugin's endpoints, an adversary can specify arbitrary file paths to delete. The vulnerability is considered moderately dangerous and is expected to be used in mass-exploit campaigns targeting thousands of WordPress sites regardless of size or popularity [1].

Successful exploitation allows an attacker to delete critical WordPress core files, configuration files, or other sensitive data. This can cause the website to break, become inaccessible, or lead to a complete denial of service. In some scenarios, deleting essential files may pave the way for further compromise [1].

To mitigate the risk, users must update the plugin to version 5.3.0 or later, which contains the fix. Patchstack has also issued a mitigation rule to block attacks until the update is applied. Given the active threat landscape, immediate action is recommended [1].