CVE-2026-32514
Missing Authorization in Petitioner β€ 0.7.3 Enables Unauthorized Access
Publication date: 2026-03-25
Last updated on: 2026-04-29
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| anton_voytenko | petitioner | From 0.0.0 (inc) to 0.7.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
The primary immediate mitigation step is to update the WordPress Petitioner Plugin to version 0.7.4 or later, where the vulnerability has been patched.
Until the update can be applied, users of Patchstack can enable an automatic mitigation rule provided by Patchstack to block attacks targeting this vulnerability.
Additionally, enabling auto-updates specifically for vulnerable plugins can help ensure timely protection against this and similar vulnerabilities.
Prompt patching and using security intelligence and managed vulnerability disclosure programs are recommended to protect WordPress installations from exploitation.
Can you explain this vulnerability to me?
CVE-2026-32514 is a medium priority Broken Access Control vulnerability affecting the WordPress Petitioner Plugin versions up to and including 0.7.3.
The issue arises from missing authorization, authentication, or nonce token checks in certain plugin functions, which allows unprivileged users (even those with only subscriber-level privileges) to perform actions that should be restricted to higher-privileged roles.
This vulnerability is classified under the OWASP Top 10 category A1: Broken Access Control and has a CVSS score of 6.5, indicating moderate severity.
How can this vulnerability impact me? :
This vulnerability allows attackers with low-level access (subscriber privileges) to perform unauthorized actions that should be restricted to higher-privileged users.
Because the vulnerability can be exploited in mass campaigns targeting many websites regardless of their traffic or popularity, it increases the risk of unauthorized access and potential manipulation of website functions.
If exploited, it could lead to unauthorized changes, data exposure, or other malicious activities within the affected WordPress site.
Mitigation involves updating the plugin to version 0.7.4 or later and applying available automatic mitigation rules to block attacks until the update is applied.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The CVE-2026-32514 vulnerability affects the WordPress Petitioner Plugin versions up to and including 0.7.3 and arises from missing authorization checks allowing unprivileged users to perform restricted actions.
Detection can involve checking the installed version of the Petitioner plugin on your WordPress site to see if it is version 0.7.3 or earlier, which are vulnerable.
While specific commands are not provided, you can detect the vulnerable plugin version by running commands such as:
- Using WP-CLI: `wp plugin list` to check the version of the Petitioner plugin.
- Manually inspecting the plugin version in the WordPress admin dashboard under Plugins.
- Monitoring logs or network traffic for suspicious actions performed by subscriber-level users that should require higher privileges, as the vulnerability allows such unauthorized actions.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how the CVE-2026-32514 vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.