Platform
wordpress
Component
lemmony
Fixed in
1.7.2
A Cross-Site Request Forgery (CSRF) vulnerability exists in the Lemmony WordPress plugin. This flaw allows an attacker to trick authenticated users into performing actions they did not intend to, potentially leading to unauthorized modifications or deletions within the plugin's functionality. The vulnerability affects versions from 0.0.0 through 1.7.1, and a fix is available in version 1.7.1.
The CSRF vulnerability in Lemmony allows an attacker to craft malicious requests that appear to originate from a legitimate user. If a user is logged into a WordPress site with the Lemmony plugin installed and an attacker can induce them to visit a crafted URL, the attacker can execute actions as that user. This could include modifying settings, deleting data, or performing other actions that the user is authorized to do. The blast radius is limited to the functionality exposed by the Lemmony plugin itself, but successful exploitation could compromise the integrity of the WordPress site and its data.
This vulnerability was publicly disclosed on 2026-03-13. There are currently no known public exploits or active campaigns targeting this specific vulnerability. It is not listed on the CISA KEV catalog. The probability of exploitation is considered low to medium, given the lack of public exploits and the relatively niche nature of the Lemmony plugin.
Exploit Status
EPSS
0.02% (4% percentile)
CVSS Vector
The primary mitigation for CVE-2026-32328 is to upgrade the Lemmony plugin to version 1.7.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) with CSRF protection rules. Additionally, ensure that all user input is properly validated and sanitized to prevent malicious data from being processed. While not a complete solution, implementing the 'sanitize_callback' filter in WordPress can help mitigate CSRF attacks by validating user input before it is processed. After upgrading, verify the fix by attempting to trigger a CSRF attack and confirming that the request is blocked or fails.
Update to version 1.7.1, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-32328 is a Cross-Site Request Forgery (CSRF) vulnerability affecting versions 0.0.0–1.7.1 of the Lemmony WordPress plugin, allowing attackers to perform unauthorized actions.
You are affected if your WordPress site uses the Lemmony plugin and is running a version between 0.0.0 and 1.7.1 (inclusive).
Upgrade the Lemmony plugin to version 1.7.1 or later. Consider WAF rules as a temporary mitigation if upgrading is not immediately possible.
There are currently no known public exploits or active campaigns targeting this vulnerability, but it remains a potential risk.
Refer to the Lemmony plugin's official website or WordPress plugin repository for updates and advisories related to CVE-2026-32328.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.