平台
wordpress
组件
gamipress
修复版本
7.6.7
CVE-2026-32420 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the GamiPress WordPress plugin. This flaw allows an attacker to potentially trigger unintended actions on a user's account within the plugin, leading to unauthorized modifications or data manipulation. The vulnerability impacts versions of GamiPress from 0.0.0 up to and including 7.6.6. A patch has been released in version 7.6.7.
A successful CSRF attack against GamiPress could allow an attacker to modify user profiles, change plugin settings, or perform other actions as the targeted user. This could result in data corruption, unauthorized access to sensitive information, or even complete control over the affected WordPress site's gamification features. The impact is amplified if the targeted user has administrative privileges within the GamiPress plugin, potentially granting the attacker broader control over the site's functionality. While CSRF typically requires user interaction (e.g., clicking a malicious link), the potential for automated exploitation makes this a significant concern.
CVE-2026-32420 was publicly disclosed on 2026-03-13. No public proof-of-concept (PoC) code has been released at the time of writing, but the CSRF nature of the vulnerability means that exploitation is relatively straightforward once a suitable attack vector is identified. The EPSS score is likely to be assessed as medium, given the ease of exploitation and potential impact. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting GamiPress.
Websites using the GamiPress plugin, particularly those with user accounts and gamification features, are at risk. Shared hosting environments where multiple WordPress sites share the same server resources are also at increased risk, as a compromise of one site could potentially lead to lateral movement and exploitation of other sites using vulnerable versions of GamiPress.
• wordpress / composer / npm:
grep -r 'gami_add_user_role' /var/www/html/wp-content/plugins/gamiopress/• wordpress / composer / npm:
wp plugin list --status=active | grep gamiopress• wordpress / composer / npm:
wp plugin update gamiopressdisclosure
漏洞利用状态
EPSS
0.02% (4% 百分位)
CVSS 向量
The primary mitigation for CVE-2026-32420 is to immediately update the GamiPress plugin to version 7.6.7 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) with CSRF protection rules to filter out malicious requests. Additionally, ensure that all user accounts have strong, unique passwords and that two-factor authentication is enabled where possible. Regularly review WordPress plugin settings and user permissions to identify and address any potential vulnerabilities.
更新到 7.6.7 版本,或更新的补丁版本
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-32420 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the GamiPress WordPress plugin, allowing attackers to perform unauthorized actions.
You are affected if you are using GamiPress versions 0.0.0 through 7.6.6. Upgrade to 7.6.7 or later to mitigate the risk.
Update the GamiPress plugin to version 7.6.7 or later. Consider WAF rules as a temporary workaround if immediate upgrade is not possible.
While no active exploitation has been confirmed, the CSRF nature of the vulnerability suggests a potential for exploitation. Monitor security advisories.
Refer to the GamiPress official website and WordPress plugin repository for the latest security advisory and update information.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。