WP-Safety
CVE-2026-32331

Textmetrics <= 3.6.4 - Missing Authorization

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
3.6.5
Patched in
67d
Time to patch

Description

The Textmetrics plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 3.6.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=3.6.4
PublishedFebruary 8, 2026
Last updatedApril 15, 2026
Affected pluginwebtexttool

What Changed in the Fix

Changes introduced in v3.6.5

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v3.6.4
Browse source Download .zip
Patched v3.6.5
Browse source Download .zip
Research Plan
Unverified

# Research Plan: CVE-2026-32331 Textmetrics Missing Authorization ## 1. Vulnerability Summary The Textmetrics plugin for WordPress (versions <= 3.6.4) contains a missing authorization vulnerability in its AJAX handling logic. Specifically, an AJAX callback function (likely `wtt_ajax_save_meta` or `…

Show full research plan

Research Plan: CVE-2026-32331 Textmetrics Missing Authorization

1. Vulnerability Summary

The Textmetrics plugin for WordPress (versions <= 3.6.4) contains a missing authorization vulnerability in its AJAX handling logic. Specifically, an AJAX callback function (likely wtt_ajax_save_meta or wtt_save_social_meta) fails to perform a capability check (e.g., current_user_can('edit_post', $post_id)). This allows an authenticated attacker with Subscriber-level permissions to modify the SEO and social metadata of arbitrary posts or pages by sending crafted AJAX requests to admin-ajax.php.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: wtt_ajax_save_meta (inferred from plugin history and source patterns)
  • Method: POST
  • Authentication: Required (Subscriber-level access)
  • Payload Parameter: post_id (the target post), wttcontent (the nonce), and metadata fields like wtt_social_title or wtt_social_description.
  • Precondition: The attacker must obtain a valid nonce for the wttcallback action. While Subscribers don't normally edit posts, the nonce is generated in the wtt_social_meta_box function and may be exposed through other authenticated views or shared nonce actions.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Textmetrics plugin for WordPress is vulnerable to unauthorized post metadata modification due to insufficient capability checks in its AJAX handling logic. Authenticated attackers with subscriber-level permissions or higher can exploit this to alter SEO and social metadata for arbitrary posts or pages.

Vulnerable Code

// core/class-webtexttool-core.php

/* Line 735 in version 3.6.4 */
$output = array("message" => 'process server ajax failed'); // set default output message
$action = $this->get_webtexttoolnonce_action(); // text used to generate or check the nonce.

if (!current_user_can('edit_posts')) {
    exit;
}

// check if the nonce and data exist, otherwise exit
if (array_key_exists('nonce', $_POST) && array_key_exists('data', $_POST) && array_key_exists('postId', $_POST)) {
    $nonce = htmlentities($_POST['nonce']);
    if (wp_verify_nonce($nonce, $action)) {
        $data = $_POST['data'];
        $pageid = $_POST['postId'];

        $option_key = $data['option'];
        $option_value = $data['value'];

Security Fix

--- /home/deploy/wp-safety.org/data/plugin-versions/webtexttool/3.6.4/core/class-webtexttool-core.php	2026-02-05 11:03:36.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/webtexttool/3.6.5/core/class-webtexttool-core.php	2026-02-26 10:44:50.000000000 +0000
@@ -735,10 +735,6 @@
         $output = array("message" => 'process server ajax failed'); // set default output message
         $action = $this->get_webtexttoolnonce_action(); // text used to generate or check the nonce.
 
-        if (!current_user_can('edit_posts')) {
-            exit;
-        }
-
         // check if the nonce and data exist, otherwise exit
         if (array_key_exists('nonce', $_POST) && array_key_exists('data', $_POST) && array_key_exists('postId', $_POST)) {
             $nonce = htmlentities($_POST['nonce']);
@@ -746,6 +742,14 @@
                 $data = $_POST['data'];
                 $pageid = $_POST['postId'];
 
+                // Check if user can edit this specific post
+                if (!current_user_can('edit_post', $pageid)) {
+                    $output['message'] = 'unauthorized';
+                    header("Content-Type: application/json");
+                    echo json_encode($output);
+                    die();
+                }
+
                 $option_key = $data['option'];
                 $option_value = $data['value'];

Exploit Outline

To exploit this vulnerability, an authenticated attacker with Subscriber-level access (or higher) must first obtain a valid WordPress nonce for the 'wttcallback' action. The attacker then sends a POST request to the `/wp-admin/admin-ajax.php` endpoint with the 'action' parameter set to the plugin's meta-saving function. The payload must include the 'postId' of the target post to be modified, the 'nonce', and a 'data' array containing the 'option' (meta key) and 'value' (new content) they wish to update. Because the plugin lacks a resource-specific capability check (like `current_user_can('edit_post', $postId)`), the server will process the metadata update for any post ID provided, regardless of whether the attacker has permission to edit that specific content.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/8fe7b884-c245-4412-b43d-38d0565fccbd?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database