WP-Safety
CVE-2026-32420

GamiPress <= 7.6.6 - Cross-Site Request Forgery

mediumCross-Site Request Forgery (CSRF)
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
7.6.7
Patched in
49d
Time to patch

Description

The GamiPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 7.6.6. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=7.6.6
PublishedFebruary 26, 2026
Last updatedApril 15, 2026
Affected plugingamipress

What Changed in the Fix

Changes introduced in v7.6.7

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v7.6.6
Browse source Download .zip
Patched v7.6.7
Browse source Download .zip
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-32420 (GamiPress CSRF) ## 1. Vulnerability Summary The **GamiPress** plugin (<= 7.6.6) for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability. Multiple AJAX handlers within the administrative tools lack nonce validation (`check_ajax_referer` …

Show full research plan

Exploitation Research Plan: CVE-2026-32420 (GamiPress CSRF)

1. Vulnerability Summary

The GamiPress plugin (<= 7.6.6) for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability. Multiple AJAX handlers within the administrative tools lack nonce validation (check_ajax_referer or wp_verify_nonce). This allows an unauthenticated attacker to perform unauthorized actions by tricking a logged-in administrator into visiting a malicious webpage. While the vulnerability exists across several functions, the "Import/Export Setup" tool is a primary example where privileged actions can be triggered without a security token.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: gamipress_export_setup (and likely gamipress_import_setup, inferred from UI fields)
  • HTTP Method: POST
  • Required Capability: gamipress_get_manager_capability() (typically manage_options)
  • Vulnerable Parameter: action and items[]
  • Preconditions: An administrator with GamiPress management permissions must be logged in and visit a page controlled by the attacker.

3. Code Flow

  1. The plugin registers AJAX handlers in includes/ajax-functions.php (included via gamipress.php).
  2. The tool `includes/admin/tools/
Research Findings
Static analysis — not yet PoC-verified

Summary

The GamiPress plugin for WordPress (up to 7.6.6) is vulnerable to Cross-Site Request Forgery (CSRF) because it fails to perform nonce validation on its administrative AJAX handlers for importing and exporting site configurations. This allows an attacker to trick a logged-in administrator into triggering an unauthorized export of site data or importing a malicious configuration file.

Vulnerable Code

// includes/admin/tools/import-export-setup.php line 116
function gamipress_ajax_export_setup_tool() {

    global $wpdb;

    $postmeta = GamiPress()->db->postmeta;

    $items = $_POST['items'];

    // Check parameters received
    if( ! isset( $items ) || empty( $items ) ) {
        wp_send_json_error( __( 'No items selected.', 'gamipress' ) );
    }
---
// includes/admin/tools/import-export-setup.php line 338
function gamipress_ajax_import_setup_tool() {

    // Check parameters received
    if( ! isset( $_FILES['file'] ) ) {
        wp_send_json_error( __( 'No setup to import.', 'gamipress' ) );
    }

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/gamipress/7.6.6/includes/admin/tools/import-export-setup.php /home/deploy/wp-safety.org/data/plugin-versions/gamipress/7.6.7/includes/admin/tools/import-export-setup.php
--- /home/deploy/wp-safety.org/data/plugin-versions/gamipress/7.6.6/includes/admin/tools/import-export-setup.php	2026-02-17 12:41:20.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/gamipress/7.6.7/includes/admin/tools/import-export-setup.php	2026-02-20 08:21:10.000000000 +0000
@@ -116,6 +116,9 @@
  */
 function gamipress_ajax_export_setup_tool() {
 
+    // Security check, forces to die if not security passed
+    check_ajax_referer( 'gamipress_admin', 'nonce' );
+
     global $wpdb;
 
     $postmeta = GamiPress()->db->postmeta;
@@ -338,6 +341,9 @@
  */
 function gamipress_ajax_import_setup_tool() {
 
+    // Security check, forces to die if not security passed
+    check_ajax_referer( 'gamipress_admin', 'nonce' );
+
     // Check parameters received
     if( ! isset( $_FILES['file'] ) ) {
         wp_send_json_error( __( 'No setup to import.', 'gamipress' ) );

Exploit Outline

The exploit targets the `/wp-admin/admin-ajax.php` endpoint via the `gamipress_export_setup` or `gamipress_import_setup` actions. An attacker hosts a malicious page that sends a POST request to this endpoint with parameters like `items[]` for export or a `file` for import. When an administrator with GamiPress management permissions (typically the `manage_options` capability) visits the attacker's page while logged into WordPress, their session cookies are automatically included in the request, bypassing the lack of nonce protection to execute the tool's logic.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/2d7be70b-ac33-4fc2-a627-52f238c2011e?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database