Description
The Vitepos WordPress plugin before 3.4.2 does not properly restrict the roles that can be assigned when creating new users via one of its REST API endpoints, allowing authenticated users with a custom Vitepos WordPress plugin before 3.4.2 role to escalate privileges to administrator.
Severity (CVSS)
| Base score | 8.8 |
|---|---|
| Severity | High |
| Version | CVSS 3.1 |
| Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Provided by | CISA-ADP |
Weaknesses
- — CWE-269 Improper Privilege Management
- CWE-269 — CWE-269 Improper Privilege Management
Affected products
| Vendor | Product | Versions |
|---|---|---|
| Unknown | Vitepos | 0 to <3.4.2 |
References
- https://wpscan.com/vulnerability/6680cc6a-9758-4040-bb39-7b9545041dc3/ (exploit vdb-entry technical-description)
Generated from the official CVE List on 22 Jun 2026 14:43 UTC.