CVE-2026-32567
Received Received - Intake
Path Traversal in YML for Yandex Market Allows Unauthorized Access

Publication date: 2026-03-25

Last updated on: 2026-04-29

Assigner: Patchstack

Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in icopydoc YML for Yandex Market yml-for-yandex-market allows Path Traversal.This issue affects YML for Yandex Market: from n/a through < 5.3.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-25
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32567
EUVD
EUVD-2026-15929
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
yandex ym_for_yandex_market to 5.3.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-32567 is a vulnerability in the WordPress plugin "YML for Yandex Market" affecting versions prior to 5.3.0. It is an arbitrary file deletion vulnerability caused by improper limitation of a pathname to a restricted directory, also known as a Path Traversal issue.

This flaw allows an attacker with shop manager or developer privileges to delete arbitrary files from the affected website, potentially including core website files.

The vulnerability falls under the OWASP Top 10 category A1: Broken Access Control.

Impact Analysis

Exploitation of this vulnerability can lead to deletion of important files on your website, including core files necessary for the site to function.

This can cause the website to break or stop functioning properly, resulting in downtime and potential loss of data or service availability.

Detection Guidance

This vulnerability affects the WordPress plugin "YML for Yandex Market" versions prior to 5.3.0 and allows arbitrary file deletion by users with shop manager or developer privileges.

To detect if your system is vulnerable, first check the installed version of the YML for Yandex Market plugin on your WordPress site.

  • Use the WordPress admin dashboard to navigate to Plugins and verify the version of "YML for Yandex Market".
  • Alternatively, use the command line to check the plugin version by running: `wp plugin list --format=json | jq '.[] | select(.name=="yml-for-yandex-market") | .version'` (requires WP-CLI and jq).

Additionally, monitor logs for suspicious file deletion attempts or unauthorized access by users with elevated privileges.

Mitigation Strategies

The primary mitigation step is to update the YML for Yandex Market plugin to version 5.3.0 or later, where the vulnerability is fixed.

Until the update can be applied, use Patchstack's mitigation rules which can block attacks targeting this vulnerability.

  • Apply the official patch or update the plugin immediately.
  • Implement web application firewall (WAF) rules or security plugins that can block exploitation attempts.
  • Limit the number of users with shop manager or developer privileges to reduce risk.

Seek assistance from hosting providers or developers if needed to ensure timely patching and protection.

Compliance Impact

The provided information does not specify any direct impact of the CVE-2026-32567 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32567. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart