Description
Missing Authorization vulnerability in Maciej Bis Permalink Manager Lite permalink-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Permalink Manager Lite: from n/a through < 2.5.3.
Published: 2026-03-13
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Broken Access Control
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a Missing Authorization flaw (CWE-862) in the WordPress plugin Permalink Manager Lite that allows attackers to manipulate permalink settings without proper authentication or authorization checks. This can undermine data integrity and disrupt site navigation, potentially causing availability issues if key URLs are altered or removed.

Affected Systems

WordPress sites using Permalink Manager Lite versions released prior to 2.5.3 are affected. All releases earlier than 2.5.3 contain the flaw, regardless of minor version changes.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the EPSS score of less than 1% reflects a low probability of exploitation in the current environment. The vulnerability has no entry in the CISA KEV catalog. The likely attack vector is inferred to be exploitation of internal plugin endpoints accessible through the site's backend; this inference is based on the description of missing authorization checks. If an attacker gains access, they can modify or delete permalink configurations, affecting the site structure and user experience.

Generated by OpenCVE AI on March 19, 2026 at 16:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Permalink Manager Lite to version 2.5.3 or later
  • If upgrade is not feasible, disable or uninstall the plugin

Generated by OpenCVE AI on March 19, 2026 at 16:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Maciej Bis
Maciej Bis permalink Manager Lite
Wordpress
Wordpress wordpress
Vendors & Products Maciej Bis
Maciej Bis permalink Manager Lite
Wordpress
Wordpress wordpress

Fri, 13 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Fri, 13 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Maciej Bis Permalink Manager Lite permalink-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Permalink Manager Lite: from n/a through < 2.5.3.
Title WordPress Permalink Manager Lite plugin < 2.5.3 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Maciej Bis Permalink Manager Lite
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:16:12.533Z

Reserved: 2026-03-12T11:11:19.857Z

Link: CVE-2026-32413

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-13T19:54:58.400

Modified: 2026-03-16T14:53:46.157

Link: CVE-2026-32413

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T12:03:50Z

Weaknesses