Description
Cross-Site Request Forgery (CSRF) vulnerability in Ruben Garcia GamiPress gamipress allows Cross Site Request Forgery.This issue affects GamiPress: from n/a through <= 7.6.6.
Published: 2026-03-13
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Request Forgery (CSRF)
Action: Patch
AI Analysis

Impact

The vulnerability is a Cross‑Site Request Forgery flaw in the GamiPress WordPress plugin. It allows an attacker to trick a legitimate user into executing unwanted actions within the plugin that the user’s browser is authenticated to. The impact is that the attacker can perform privileged operations such as awarding points, adding badges, or modifying the user’s account settings without the user’s consent. This weakness is identified as CWE-352, indicating an attacker can exploit the lack of CSRF protection to gain unauthorized use of functionalities that rely on authenticated sessions.

Affected Systems

The affected product is the GamiPress plugin for WordPress, developed by Ruben Garcia. All versions of the plugin from the earliest releases up to and including 7.6.6 are affected. WordPress sites that have not updated the plugin beyond version 7.6.6 are at risk.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity. The EPSS score is less than 1%, implying low current exploitation probability. The vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog, which suggests no known public exploitation yet. Likely attack vectors involve a malicious link or email that forces the user’s browser to submit a forged request to the GamiPress endpoint. An attacker would need a user with sufficient privileges or an authenticated session to succeed, but the lack of CSRF tokens permits the forgery.

Generated by OpenCVE AI on March 19, 2026 at 15:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update GamiPress to a version newer than 7.6.6.
  • If an immediate update is not possible, apply a temporary CSRF mitigation by ensuring all form submissions include a reliable anti‑CSRF token and that sensitive actions are protected by user authentication and permission checks.

Generated by OpenCVE AI on March 19, 2026 at 15:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Ruben Garcia
Ruben Garcia gamipress
Wordpress
Wordpress wordpress
Vendors & Products Ruben Garcia
Ruben Garcia gamipress
Wordpress
Wordpress wordpress

Fri, 13 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Ruben Garcia GamiPress gamipress allows Cross Site Request Forgery.This issue affects GamiPress: from n/a through <= 7.6.6.
Title WordPress GamiPress plugin <= 7.6.6 - Cross Site Request Forgery (CSRF) vulnerability
Weaknesses CWE-352
References

Subscriptions

Ruben Garcia Gamipress
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:16:13.723Z

Reserved: 2026-03-12T11:11:26.570Z

Link: CVE-2026-32420

cve-icon Vulnrichment

Updated: 2026-03-13T18:09:07.575Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-13T19:54:59.697

Modified: 2026-03-16T14:53:46.157

Link: CVE-2026-32420

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T12:03:44Z

Weaknesses