CVE-2026-32413
Received Received - Intake
Missing Authorization in Permalink Manager Lite Allows Unauthorized Access

Publication date: 2026-03-13

Last updated on: 2026-04-29

Assigner: Patchstack

Description
Missing Authorization vulnerability in Maciej Bis Permalink Manager Lite permalink-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Permalink Manager Lite: from n/a through < 2.5.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-13
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-13
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32413
EUVD
EUVD-2026-11931
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
maciej_bis permalink_manager_lite to 2.5.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-32413 is a Broken Access Control vulnerability in the WordPress Permalink Manager Lite Plugin versions prior to 2.5.3.

The issue arises from missing authorization, authentication, or nonce token checks within certain functions, which allows unauthenticated users to perform actions that should be restricted to higher-privileged users.

This vulnerability falls under the OWASP Top 10 category A1: Broken Access Control.

Impact Analysis

The vulnerability allows unauthenticated users to perform actions reserved for privileged users due to missing authorization checks.

However, the CVSS severity score is 5.3, indicating a low priority and low severity impact.

It is unlikely to be exploited in a way that causes significant harm, but it still poses a risk of unauthorized actions within the plugin.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability arises from missing authorization checks in the WordPress Permalink Manager Lite Plugin versions prior to 2.5.3, allowing unauthenticated users to perform privileged actions.'}, {'type': 'paragraph', 'content': 'Detection would involve checking the plugin version installed on your WordPress system to see if it is older than 2.5.3.'}, {'type': 'paragraph', 'content': 'There are no specific network or system commands provided in the available resources to detect exploitation attempts or presence of this vulnerability.'}, {'type': 'paragraph', 'content': 'A practical approach is to verify the plugin version via WordPress admin dashboard or by running commands to check the plugin version, such as:'}, {'type': 'list_item', 'content': 'Using WP-CLI: wp plugin list | grep permalink-manager-lite'}, {'type': 'list_item', 'content': "Manually checking the plugin's readme or version.php file in the plugin directory."}] [1]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The primary mitigation step is to update the Permalink Manager Lite plugin to version 2.5.3 or later, where this vulnerability has been patched.'}, {'type': 'paragraph', 'content': "Additionally, using services like Patchstack's mitigation services that offer auto-updates for vulnerable plugins can provide rapid protection."}, {'type': 'paragraph', 'content': 'Ensuring proper access control and authorization configurations in your WordPress environment can also help reduce risk.'}] [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32413. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart