CWE-266
AllowedIncorrect Privilege Assignment
Abstraction: Base · Status: Draft
A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
1913 vulnerabilities reference this CWE, most recent first.
CVE-2025-49924 (GCVE-0-2025-49924)
Vulnerability from cvelistv5 – Published: 2025-10-22 14:32 – Updated: 2026-04-28 16:13- CWE-266 - Incorrect Privilege Assignment
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
| Vendor | Product | Version | |
|---|---|---|---|
| Josh Kohlbach | Wholesale Suite |
Affected:
0 , ≤ 2.2.4.2
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-49924",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-23T15:29:10.802636Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T19:39:42.123Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "woocommerce-wholesale-prices",
"product": "Wholesale Suite",
"vendor": "Josh Kohlbach",
"versions": [
{
"changes": [
{
"at": "2.2.5",
"status": "unaffected"
}
],
"lessThanOrEqual": "2.2.4.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Phat RiO | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-22T14:25:33.709Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Incorrect Privilege Assignment vulnerability in Josh Kohlbach Wholesale Suite woocommerce-wholesale-prices allows Privilege Escalation.\u003cp\u003eThis issue affects Wholesale Suite: from n/a through \u003c= 2.2.4.2.\u003c/p\u003e"
}
],
"value": "Incorrect Privilege Assignment vulnerability in Josh Kohlbach Wholesale Suite woocommerce-wholesale-prices allows Privilege Escalation.This issue affects Wholesale Suite: from n/a through \u003c= 2.2.4.2."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:13:08.005Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/woocommerce-wholesale-prices/vulnerability/wordpress-wholesale-suite-plugin-2-2-4-2-privilege-escalation-vulnerability?_s_id=cve"
}
],
"title": "WordPress Wholesale Suite plugin \u003c= 2.2.4.2 - Privilege Escalation vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-49924",
"datePublished": "2025-10-22T14:32:13.804Z",
"dateReserved": "2025-06-11T16:07:08.210Z",
"dateUpdated": "2026-04-28T16:13:08.005Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-49900 (GCVE-0-2025-49900)
Vulnerability from cvelistv5 – Published: 2025-11-06 15:53 – Updated: 2026-04-28 20:23- CWE-266 - Incorrect Privilege Assignment
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
| Vendor | Product | Version | |
|---|---|---|---|
| bPlugins | Advanced scrollbar |
Affected:
0 , ≤ 1.1.8
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-49900",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-10T19:33:28.489685Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T20:23:31.818Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "advanced-scrollbar",
"product": "Advanced scrollbar",
"vendor": "bPlugins",
"versions": [
{
"changes": [
{
"at": "1.1.9",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.1.8",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Denver Jackson | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T15:59:16.830Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Incorrect Privilege Assignment vulnerability in bPlugins Advanced scrollbar advanced-scrollbar allows Privilege Escalation.\u003cp\u003eThis issue affects Advanced scrollbar: from n/a through \u003c= 1.1.8.\u003c/p\u003e"
}
],
"value": "Incorrect Privilege Assignment vulnerability in bPlugins Advanced scrollbar advanced-scrollbar allows Privilege Escalation.This issue affects Advanced scrollbar: from n/a through \u003c= 1.1.8."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:13:07.310Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/advanced-scrollbar/vulnerability/wordpress-advanced-scrollbar-plugin-1-1-8-privilege-escalation-vulnerability?_s_id=cve"
}
],
"title": "WordPress Advanced scrollbar plugin \u003c= 1.1.8 - Privilege Escalation vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-49900",
"datePublished": "2025-11-06T15:53:54.586Z",
"dateReserved": "2025-06-11T16:06:34.447Z",
"dateUpdated": "2026-04-28T20:23:31.818Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-49867 (GCVE-0-2025-49867)
Vulnerability from cvelistv5 – Published: 2025-07-04 11:17 – Updated: 2026-04-28 16:13- CWE-266 - Incorrect Privilege Assignment
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Theme/r… | vdb-entry |
| Vendor | Product | Version | |
|---|---|---|---|
| InspiryThemes | RealHomes |
Affected:
0 , ≤ 4.4.0
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-49867",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-07T14:04:57.706972Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-07T15:00:31.898Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "realhomes",
"product": "RealHomes",
"vendor": "InspiryThemes",
"versions": [
{
"changes": [
{
"at": "4.4.1",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.4.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Aiden | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:41:18.908Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Incorrect Privilege Assignment vulnerability in InspiryThemes RealHomes realhomes allows Privilege Escalation.\u003cp\u003eThis issue affects RealHomes: from n/a through \u003c= 4.4.0.\u003c/p\u003e"
}
],
"value": "Incorrect Privilege Assignment vulnerability in InspiryThemes RealHomes realhomes allows Privilege Escalation.This issue affects RealHomes: from n/a through \u003c= 4.4.0."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:13:06.546Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Theme/realhomes/vulnerability/wordpress-realhomes-4-4-0-privilege-escalation-vulnerability?_s_id=cve"
}
],
"title": "WordPress RealHomes theme \u003c= 4.4.0 - Privilege Escalation vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-49867",
"datePublished": "2025-07-04T11:17:59.003Z",
"dateReserved": "2025-06-11T16:06:05.695Z",
"dateUpdated": "2026-04-28T16:13:06.546Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-49580 (GCVE-0-2025-49580)
Vulnerability from cvelistv5 – Published: 2025-06-13 15:45 – Updated: 2025-06-13 18:09- CWE-266 - Incorrect Privilege Assignment
| URL | Tags |
|---|---|
| https://github.com/xwiki/xwiki-platform/security/… | x_refsource_CONFIRM |
| https://github.com/xwiki/xwiki-platform/commit/ab… | x_refsource_MISC |
| https://jira.xwiki.org/browse/XWIKI-22836 | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| xwiki | xwiki-platform |
Affected:
>= 17.0.0-rc-1, < 17.1.0-rc-1
Affected: >= 16.5.0-rc-1, < 16.10.4 Affected: >= 8.2, < 16.4.7 Affected: >= 7.4.5, < 8.0-milestone-1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-49580",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-13T18:08:56.660431Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-13T18:09:04.665Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "xwiki-platform",
"vendor": "xwiki",
"versions": [
{
"status": "affected",
"version": "\u003e= 17.0.0-rc-1, \u003c 17.1.0-rc-1"
},
{
"status": "affected",
"version": "\u003e= 16.5.0-rc-1, \u003c 16.10.4"
},
{
"status": "affected",
"version": "\u003e= 8.2, \u003c 16.4.7"
},
{
"status": "affected",
"version": "\u003e= 7.4.5, \u003c 8.0-milestone-1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "XWiki is a generic wiki platform. From 8.2 and 7.4.5 until 17.1.0-rc-1, 16.10.4, and 16.4.7, pages can gain script or programming rights when they contain a link and the target of the link is renamed or moved. This might lead to execution of scripts contained in xobjects that should have never been executed. This vulnerability is fixed in 17.1.0-rc-1, 16.10.4, and 16.4.7."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "CWE-266: Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-13T15:45:58.451Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-jm43-hrq7-r7w6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-jm43-hrq7-r7w6"
},
{
"name": "https://github.com/xwiki/xwiki-platform/commit/ab209acd780da69a4c5ff77ff011efd698273cec",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xwiki/xwiki-platform/commit/ab209acd780da69a4c5ff77ff011efd698273cec"
},
{
"name": "https://jira.xwiki.org/browse/XWIKI-22836",
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.xwiki.org/browse/XWIKI-22836"
}
],
"source": {
"advisory": "GHSA-jm43-hrq7-r7w6",
"discovery": "UNKNOWN"
},
"title": "XWiki allows privilege escalation through link refactoring"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-49580",
"datePublished": "2025-06-13T15:45:58.451Z",
"dateReserved": "2025-06-06T15:44:21.555Z",
"dateUpdated": "2025-06-13T18:09:04.665Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-49422 (GCVE-0-2025-49422)
Vulnerability from cvelistv5 – Published: 2025-08-20 08:03 – Updated: 2026-04-28 16:13- CWE-266 - Incorrect Privilege Assignment
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
| Vendor | Product | Version | |
|---|---|---|---|
| themepassion | Support Ticket |
Affected:
0 , ≤ 1.9
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-49422",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-20T13:56:24.840541Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-20T13:56:31.264Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "support-ticket",
"product": "Support Ticket",
"vendor": "themepassion",
"versions": [
{
"lessThanOrEqual": "1.9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:41:13.251Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Incorrect Privilege Assignment vulnerability in themepassion Support Ticket support-ticket allows Privilege Escalation.\u003cp\u003eThis issue affects Support Ticket: from n/a through \u003c= 1.9.\u003c/p\u003e"
}
],
"value": "Incorrect Privilege Assignment vulnerability in themepassion Support Ticket support-ticket allows Privilege Escalation.This issue affects Support Ticket: from n/a through \u003c= 1.9."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:13:04.295Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/support-ticket/vulnerability/wordpress-support-ticket-plugin-1-9-privilege-escalation-vulnerability?_s_id=cve"
}
],
"title": "WordPress Support Ticket Plugin \u003c= 1.9 - Privilege Escalation Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-49422",
"datePublished": "2025-08-20T08:03:43.024Z",
"dateReserved": "2025-06-04T15:44:22.453Z",
"dateUpdated": "2026-04-28T16:13:04.295Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-49401 (GCVE-0-2025-49401)
Vulnerability from cvelistv5 – Published: 2025-09-05 16:15 – Updated: 2026-04-28 16:13- CWE-266 - Incorrect Privilege Assignment
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Theme/s… | vdb-entry |
| Vendor | Product | Version | |
|---|---|---|---|
| axiomthemes | smart SEO |
Affected:
0 , ≤ 4.0
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-49401",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-09T13:46:01.180358Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-09T13:47:21.653Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://themeforest.net",
"defaultStatus": "unaffected",
"packageName": "smartSEO",
"product": "smart SEO",
"vendor": "axiomthemes",
"versions": [
{
"lessThanOrEqual": "4.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:41:08.524Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Incorrect Privilege Assignment vulnerability in axiomthemes smart SEO smartSEO allows Privilege Escalation.\u003cp\u003eThis issue affects smart SEO: from n/a through \u003c= 4.0.\u003c/p\u003e"
}
],
"value": "Incorrect Privilege Assignment vulnerability in axiomthemes smart SEO smartSEO allows Privilege Escalation.This issue affects smart SEO: from n/a through \u003c= 4.0."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:13:03.429Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Theme/smartSEO/vulnerability/wordpress-smart-seo-plugin-4-0-privilege-escalation-vulnerability?_s_id=cve"
}
],
"title": "WordPress smart SEO Plugin \u003c= 4.0 - Privilege Escalation Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-49401",
"datePublished": "2025-09-05T16:15:40.868Z",
"dateReserved": "2025-06-04T15:44:03.663Z",
"dateUpdated": "2026-04-28T16:13:03.429Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-49388 (GCVE-0-2025-49388)
Vulnerability from cvelistv5 – Published: 2025-08-28 12:37 – Updated: 2026-04-28 16:13- CWE-266 - Incorrect Privilege Assignment
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
| Vendor | Product | Version | |
|---|---|---|---|
| kamleshyadav | Miraculous Core Plugin |
Affected:
0 , ≤ 2.0.7
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-49388",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-28T15:32:22.501191Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-28T15:32:50.543Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://themeforest.net",
"defaultStatus": "unaffected",
"packageName": "miraculouscore",
"product": "Miraculous Core Plugin",
"vendor": "kamleshyadav",
"versions": [
{
"changes": [
{
"at": "2.0.8",
"status": "unaffected"
}
],
"lessThanOrEqual": "2.0.7",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "0xd4rk5id3 | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:41:07.374Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Incorrect Privilege Assignment vulnerability in kamleshyadav Miraculous Core Plugin miraculouscore allows Privilege Escalation.\u003cp\u003eThis issue affects Miraculous Core Plugin: from n/a through \u003c= 2.0.7.\u003c/p\u003e"
}
],
"value": "Incorrect Privilege Assignment vulnerability in kamleshyadav Miraculous Core Plugin miraculouscore allows Privilege Escalation.This issue affects Miraculous Core Plugin: from n/a through \u003c= 2.0.7."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:13:02.828Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/miraculouscore/vulnerability/wordpress-miraculous-core-plugin-plugin-2-0-7-privilege-escalation-vulnerability?_s_id=cve"
}
],
"title": "WordPress Miraculous Core Plugin Plugin \u003c= 2.0.7 - Privilege Escalation Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-49388",
"datePublished": "2025-08-28T12:37:13.815Z",
"dateReserved": "2025-06-04T15:43:46.346Z",
"dateUpdated": "2026-04-28T16:13:02.828Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-49379 (GCVE-0-2025-49379)
Vulnerability from cvelistv5 – Published: 2025-12-18 07:21 – Updated: 2026-04-28 20:23- CWE-266 - Incorrect Privilege Assignment
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
| Vendor | Product | Version | |
|---|---|---|---|
| silverplugins217 | Custom Fields Account Registration For Woocommerce |
Affected:
0 , ≤ 1.2
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-49379",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-18T19:41:42.996532Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T20:23:11.340Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "custom-fields-account-registration-for-woocommerce",
"product": "Custom Fields Account Registration For Woocommerce",
"vendor": "silverplugins217",
"versions": [
{
"changes": [
{
"at": "1.3",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Denver Jackson | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T15:59:16.032Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Incorrect Privilege Assignment vulnerability in silverplugins217 Custom Fields Account Registration For Woocommerce custom-fields-account-registration-for-woocommerce allows Privilege Escalation.\u003cp\u003eThis issue affects Custom Fields Account Registration For Woocommerce: from n/a through \u003c= 1.2.\u003c/p\u003e"
}
],
"value": "Incorrect Privilege Assignment vulnerability in silverplugins217 Custom Fields Account Registration For Woocommerce custom-fields-account-registration-for-woocommerce allows Privilege Escalation.This issue affects Custom Fields Account Registration For Woocommerce: from n/a through \u003c= 1.2."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:13:02.697Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/custom-fields-account-registration-for-woocommerce/vulnerability/wordpress-custom-fields-account-registration-for-woocommerce-plugin-1-2-privilege-escalation-vulnerability?_s_id=cve"
}
],
"title": "WordPress Custom Fields Account Registration For Woocommerce plugin \u003c= 1.2 - Privilege Escalation vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-49379",
"datePublished": "2025-12-18T07:21:43.532Z",
"dateReserved": "2025-06-04T09:42:56.995Z",
"dateUpdated": "2026-04-28T20:23:11.340Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-48911 (GCVE-0-2025-48911)
Vulnerability from cvelistv5 – Published: 2025-06-06 06:50 – Updated: 2025-06-09 13:25- CWE-266 - Incorrect Privilege Assignment
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48911",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-09T13:25:19.479594Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-09T13:25:23.888Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "HarmonyOS",
"vendor": "Huawei",
"versions": [
{
"status": "affected",
"version": "5.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Vulnerability of improper permission assignment in the note sharing module\u003cbr\u003eImpact: Successful exploitation of this vulnerability may affect availability."
}
],
"value": "Vulnerability of improper permission assignment in the note sharing module\nImpact: Successful exploitation of this vulnerability may affect availability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "CWE-266 Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-06T06:50:02.942Z",
"orgId": "25ac1063-e409-4190-8079-24548c77ea2e",
"shortName": "huawei"
},
"references": [
{
"url": "https://consumer.huawei.com/en/support/bulletin/2025/6/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "25ac1063-e409-4190-8079-24548c77ea2e",
"assignerShortName": "huawei",
"cveId": "CVE-2025-48911",
"datePublished": "2025-06-06T06:50:02.942Z",
"dateReserved": "2025-05-28T08:14:26.626Z",
"dateUpdated": "2025-06-09T13:25:23.888Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-48741 (GCVE-0-2025-48741)
Vulnerability from cvelistv5 – Published: 2025-05-23 00:00 – Updated: 2025-05-23 21:19- CWE-266 - Incorrect Privilege Assignment
| Vendor | Product | Version | |
|---|---|---|---|
| StrangeBee | TheHive |
Affected:
5.2.0 , < 5.2.16
(semver)
Affected: 5.3.0 , < 5.3.11 (semver) Affected: 5.4.0 , < 5.4.10 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48741",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-23T21:19:13.596921Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-23T21:19:24.490Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "TheHive",
"vendor": "StrangeBee",
"versions": [
{
"lessThan": "5.2.16",
"status": "affected",
"version": "5.2.0",
"versionType": "semver"
},
{
"lessThan": "5.3.11",
"status": "affected",
"version": "5.3.0",
"versionType": "semver"
},
{
"lessThan": "5.4.10",
"status": "affected",
"version": "5.4.0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:strangebee:thehive:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.2.16",
"versionStartIncluding": "5.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:strangebee:thehive:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.3.11",
"versionStartIncluding": "5.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:strangebee:thehive:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.10",
"versionStartIncluding": "5.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A Broken Access Control vulnerability in StrangeBee TheHive 5.2.0 before 5.2.16, 5.3.0 before 5.3.11, and 5.4.0 before 5.4.10 allows remote, authenticated, and unprivileged users to retrieve alerts, cases, logs, observables, or tasks, regardless of the user\u0027s permissions, through a specific API endpoint."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "CWE-266 Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-23T19:59:04.495Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/StrangeBeeCorp/Security/blob/main/Security%20advisories/SB-SEC-ADV-2025-004.md"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-48741",
"datePublished": "2025-05-23T00:00:00.000Z",
"dateReserved": "2025-05-23T00:00:00.000Z",
"dateUpdated": "2025-05-23T21:19:24.490Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation MIT-1
Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Mitigation MIT-17
Strategy: Environment Hardening
Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
No CAPEC attack patterns related to this CWE.