CVE-2026-32567
Path Traversal in YML for Yandex Market Allows Unauthorized Access
Publication date: 2026-03-25
Last updated on: 2026-04-29
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| yandex | ym_for_yandex_market | to 5.3.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32567 is a vulnerability in the WordPress plugin "YML for Yandex Market" affecting versions prior to 5.3.0. It is an arbitrary file deletion vulnerability caused by improper limitation of a pathname to a restricted directory, also known as a Path Traversal issue.
This flaw allows an attacker with shop manager or developer privileges to delete arbitrary files from the affected website, potentially including core website files.
The vulnerability falls under the OWASP Top 10 category A1: Broken Access Control.
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to deletion of important files on your website, including core files necessary for the site to function.
This can cause the website to break or stop functioning properly, resulting in downtime and potential loss of data or service availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability affects the WordPress plugin "YML for Yandex Market" versions prior to 5.3.0 and allows arbitrary file deletion by users with shop manager or developer privileges.
To detect if your system is vulnerable, first check the installed version of the YML for Yandex Market plugin on your WordPress site.
- Use the WordPress admin dashboard to navigate to Plugins and verify the version of "YML for Yandex Market".
- Alternatively, use the command line to check the plugin version by running: `wp plugin list --format=json | jq '.[] | select(.name=="yml-for-yandex-market") | .version'` (requires WP-CLI and jq).
Additionally, monitor logs for suspicious file deletion attempts or unauthorized access by users with elevated privileges.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update the YML for Yandex Market plugin to version 5.3.0 or later, where the vulnerability is fixed.
Until the update can be applied, use Patchstack's mitigation rules which can block attacks targeting this vulnerability.
- Apply the official patch or update the plugin immediately.
- Implement web application firewall (WAF) rules or security plugins that can block exploitation attempts.
- Limit the number of users with shop manager or developer privileges to reduce risk.
Seek assistance from hosting providers or developers if needed to ensure timely patching and protection.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of the CVE-2026-32567 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.