Platform
wordpress
Component
kama-thumbnail
Fixed in
3.5.2
CVE-2026-24521 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the Kama Thumbnail WordPress plugin. This vulnerability allows an attacker to trick a user into performing actions they did not intend to, potentially leading to unauthorized modifications or deletions of thumbnail data. The vulnerability affects versions from 0.0.0 up to and including 3.5.1, and a fix is available in a later version.
A successful CSRF attack could allow an attacker to modify thumbnail settings, delete existing thumbnails, or potentially even gain access to other sensitive data within the WordPress installation. The impact is amplified if the affected WordPress site handles sensitive content or user data. Attackers could leverage this vulnerability to deface the website, steal user credentials, or compromise the entire system. While the CVSS score is medium, the ease of exploitation and potential impact on WordPress sites warrant immediate attention.
CVE-2026-24521 was publicly disclosed on 2026-01-23. Currently, there are no known public exploits or active campaigns targeting this vulnerability. The vulnerability is not listed on the CISA KEV catalog at the time of writing. The relatively low CVSS score suggests a lower probability of exploitation, but proactive mitigation is still recommended.
Exploit Status
EPSS
0.01% (0% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-24521 is to upgrade the Kama Thumbnail plugin to a version that addresses the vulnerability. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to filter out suspicious CSRF tokens. Additionally, ensure that all WordPress users are educated about the risks of clicking on untrusted links and opening suspicious emails. Regularly review WordPress plugin configurations and permissions to minimize the attack surface.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-24521 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Kama Thumbnail WordPress plugin, allowing attackers to perform unauthorized actions.
You are affected if you are using Kama Thumbnail versions 0.0.0 through 3.5.1. Upgrade to a patched version to resolve the issue.
Upgrade the Kama Thumbnail plugin to the latest available version. If immediate upgrade is not possible, implement WAF rules and educate users about CSRF risks.
Currently, there are no known public exploits or active campaigns targeting CVE-2026-24521, but proactive mitigation is still recommended.
Refer to the plugin developer's website or the WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.