CWE-269
DiscouragedImproper Privilege Management
Abstraction: Class · Status: Draft
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
5447 vulnerabilities reference this CWE, most recent first.
CVE-2026-14262 (GCVE-0-2026-14262)
Vulnerability from cvelistv5 – Published: 2026-07-11 03:44 – Updated: 2026-07-13 17:37- CWE-269 - Improper Privilege Management
| Vendor | Product | Version | |
|---|---|---|---|
| nicu_m | Simple JWT Login – Allows you to use JWT on REST endpoints. |
Affected:
0 , ≤ 3.6.6
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-14262",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-13T17:36:58.883199Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-13T17:37:15.584Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Simple JWT Login \u2013 Allows you to use JWT on REST endpoints.",
"vendor": "nicu_m",
"versions": [
{
"lessThanOrEqual": "3.6.6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Navapon Premkasem (71C4)"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Simple JWT Login \u2013 Allows you to use JWT on REST endpoints. plugin for WordPress is vulnerable to Authentication Bypass to Privilege Escalation in all versions up to, and including, 3.6.6 via the `payload` parameter. The vulnerability exists because `AuthenticateService::generatePayload()` only overwrites JWT payload keys whose names appear in the admin-configured `jwt_payload` list \u2014 leaving any attacker-supplied identity claims such as `email`, `id`, or `username` intact and signed into the JWT with the site\u0027s HS256 secret. This makes it possible for authenticated attackers, with subscriber-level access and above, to escalate their privileges to that of an Administrator by injecting a target administrator\u0027s email address into the `payload` parameter at the `/wp-json/simple-jwt-login/v1/auth` endpoint, then redeeming the resulting JWT at the `/autologin` endpoint to obtain a fully authenticated session as that administrator."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-11T03:44:25.497Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cd97a7a4-9f57-4882-9e3e-0e9853416af9?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/simple-jwt-login/tags/3.6.6/src/Services/AuthenticateService.php#L34"
},
{
"url": "https://plugins.trac.wordpress.org/browser/simple-jwt-login/tags/3.6.6/src/Services/AuthenticateService.php#L163"
},
{
"url": "https://plugins.trac.wordpress.org/browser/simple-jwt-login/tags/3.6.6/src/Services/LoginService.php#L62"
},
{
"url": "https://plugins.trac.wordpress.org/browser/simple-jwt-login/tags/3.6.6/src/Services/BaseService.php#L269"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?reponame=\u0026old=3597277%40simple-jwt-login\u0026new=3597277%40simple-jwt-login"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-10T15:02:36.000Z",
"value": "Disclosed"
}
],
"title": "Simple JWT Login \u003c= 3.6.6 - Authenticated (Subscriber+) Authentication Bypass to Privilege Escalation via \u0027payload\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-14262",
"datePublished": "2026-07-11T03:44:25.497Z",
"dateReserved": "2026-06-30T17:21:39.776Z",
"dateUpdated": "2026-07-13T17:37:15.584Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-14250 (GCVE-0-2026-14250)
Vulnerability from cvelistv5 – Published: 2026-07-08 11:30 – Updated: 2026-07-08 12:38- CWE-269 - Improper Privilege Management
| Vendor | Product | Version | |
|---|---|---|---|
| themehunk | TH Login Registration |
Affected:
0 , ≤ 1.0.2
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-14250",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-08T12:37:59.763190Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T12:38:09.291Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "TH Login Registration",
"vendor": "themehunk",
"versions": [
{
"lessThanOrEqual": "1.0.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Trung Huynh Chi"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Themehunk Login Registration plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.0.2. This is due to the handle_frontend_register() function in the unauthenticated /thlogin/v1/register REST endpoint accepting a user-controlled \u0027role\u0027 parameter and validating it only against get_editable_roles() \u2014 which returns every defined editable site role, including \u0027editor\u0027 \u2014 before passing it to wp_insert_user(). This makes it possible for unauthenticated attackers, when public user registration is enabled, to create new accounts with the editor role."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T11:30:33.205Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8eee3809-133e-4fd9-ad49-cc6fe3822457?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/themehunk-login-registration/tags/1.0.2/includes/class-thlogin-rest-api.php#L811"
},
{
"url": "https://plugins.trac.wordpress.org/browser/themehunk-login-registration/tags/1.0.2/includes/class-thlogin-rest-api.php#L782"
},
{
"url": "https://plugins.trac.wordpress.org/browser/themehunk-login-registration/tags/1.0.2/includes/class-thlogin-rest-api.php#L82"
},
{
"url": "https://plugins.trac.wordpress.org/browser/themehunk-login-registration/tags/1.0.2/includes/class-thlogin-rest-api.php#L243"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?reponame=\u0026old=3592690%40themehunk-login-registration\u0026new=3592690%40themehunk-login-registration"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-07T22:41:39.000Z",
"value": "Disclosed"
}
],
"title": "Themehunk Login Registration \u003c= 1.0.2 - Unauthenticated Privilege Escalation via \u0027role\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-14250",
"datePublished": "2026-07-08T11:30:33.205Z",
"dateReserved": "2026-06-30T14:19:53.767Z",
"dateUpdated": "2026-07-08T12:38:09.291Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-13756 (GCVE-0-2026-13756)
Vulnerability from cvelistv5 – Published: 2026-07-11 01:29 – Updated: 2026-07-13 16:14- CWE-269 - Improper Privilege Management
| Vendor | Product | Version | |
|---|---|---|---|
| WP Grid Builder | WP Grid Builder |
Affected:
0 , ≤ 2.3.3
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-13756",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-13T16:14:45.849821Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-13T16:14:52.757Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Grid Builder",
"vendor": "WP Grid Builder",
"versions": [
{
"lessThanOrEqual": "2.3.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "h0xilo"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Grid Builder plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.3.3. This is due to missing authorization and meta key validation in the `update()` handler for the `/wp-json/wpgb/v2/metadata` REST endpoint. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to Administrator by updating their own `wp_capabilities` user meta with a crafted nested array payload."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-11T01:29:19.566Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6a42e0e8-a8c7-4bc5-80ca-5ef69d1f0b6c?source=cve"
},
{
"url": "https://docs.wpgridbuilder.com/changelog/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-10T12:58:36.000Z",
"value": "Disclosed"
}
],
"title": "WP Grid Builder \u003c= 2.3.3 - Authenticated (Subscriber+) Privilege Escalation via \u0027key\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-13756",
"datePublished": "2026-07-11T01:29:19.566Z",
"dateReserved": "2026-06-29T17:34:21.761Z",
"dateUpdated": "2026-07-13T16:14:52.757Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-13741 (GCVE-0-2026-13741)
Vulnerability from cvelistv5 – Published: 2026-07-16 08:26 – Updated: 2026-07-16 13:41- CWE-269 - Improper Privilege Management
| Vendor | Product | Version | |
|---|---|---|---|
| UnitedOver | Digits: WordPress Mobile Number Signup and Login |
Affected:
0 , ≤ 9.1.0.5
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-13741",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-16T13:41:48.688255Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-16T13:41:56.447Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Digits: WordPress Mobile Number Signup and Login",
"vendor": "UnitedOver",
"versions": [
{
"lessThanOrEqual": "9.1.0.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "h0xilo"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Digits: WordPress Mobile Number Signup and Login plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 9.1.0.5. This is due to missing authorization and role validation in the `dig_update_wpwc_custom_fields()` function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to escalate their privileges to Administrator by submitting a forged `digits_reg_userrole` value during profile update, granted the site administrator has configured the built-in DIGITS User Role field."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-16T08:26:49.183Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/02a283b2-a369-4927-a54a-61f26bee6ace?source=cve"
},
{
"url": "https://digits.unitedover.com/changelog/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-30T14:34:28.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-07-15T20:26:08.000Z",
"value": "Disclosed"
}
],
"title": "Digits: WordPress Mobile Number Signup and Login \u003c= 9.1.0.5 - Authenticated (Subscriber+) Privilege Escalation via \u0027digits_reg_userrole\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-13741",
"datePublished": "2026-07-16T08:26:49.183Z",
"dateReserved": "2026-06-29T15:00:47.793Z",
"dateUpdated": "2026-07-16T13:41:56.447Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-13228 (GCVE-0-2026-13228)
Vulnerability from cvelistv5 – Published: 2026-07-01 09:32 – Updated: 2026-07-01 15:33- CWE-269 - Improper Privilege Management
| Vendor | Product | Version | |
|---|---|---|---|
| latepoint | LatePoint – Calendar Booking Plugin for Appointments and Events |
Affected:
0 , ≤ 5.6.3
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-13228",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-01T15:33:15.747907Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T15:33:25.338Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "LatePoint \u2013 Calendar Booking Plugin for Appointments and Events",
"vendor": "latepoint",
"versions": [
{
"lessThanOrEqual": "5.6.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "d.v4n_s3c"
}
],
"descriptions": [
{
"lang": "en",
"value": "The LatePoint \u2013 Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation to Administrator in versions up to, and including, 5.6.3 This is due to an Insecure Direct Object Reference (IDOR) in the create_or_update() function of OsOrdersController, which allows an authenticated Agent to supply an arbitrary order[customer_id] and overwrite any LatePoint customer\u0027s email field (including one linked to a WordPress Administrator\u0027s account) through the public-scope customer set_data() call, combined with a missing role verification in OsAuthHelper::authorize_customer() which logs in the linked WordPress user without checking its role. This makes it possible for authenticated attackers, with custom (Agent)-level access and above, to elevate their privileges to Administrator."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T09:32:28.123Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8f9db3b8-dd37-4d8b-b041-50b453858a39?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.6.2/lib/controllers/orders_controller.php#L127"
},
{
"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.6.2/lib/controllers/orders_controller.php#L137"
},
{
"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.6.2/lib/helpers/auth_helper.php#L256"
},
{
"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.6.2/lib/controllers/orders_controller.php#L112"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3590914/latepoint/trunk/lib/controllers/orders_controller.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Flatepoint/tags/5.6.3\u0026new_path=%2Flatepoint/tags/5.6.4"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-24T16:59:08.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-30T21:30:37.000Z",
"value": "Disclosed"
}
],
"title": "LatePoint \u003c= 5.6.3 - Authenticated (Custom+) Privilege Escalation to Administrator via \u0027order[customer_id]\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-13228",
"datePublished": "2026-07-01T09:32:28.123Z",
"dateReserved": "2026-06-24T16:43:26.354Z",
"dateUpdated": "2026-07-01T15:33:25.338Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-12415 (GCVE-0-2026-12415)
Vulnerability from cvelistv5 – Published: 2026-06-27 04:30 – Updated: 2026-06-29 13:14- CWE-269 - Improper Privilege Management
| Vendor | Product | Version | |
|---|---|---|---|
| pravel | Invoice Generator |
Affected:
0 , ≤ 1.0.0
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12415",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T13:13:55.004055Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T13:14:02.661Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Invoice Generator",
"vendor": "pravel",
"versions": [
{
"lessThanOrEqual": "1.0.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Alyudin Nafiie"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Invoice Generator plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the pravel_invoice_edit_account() AJAX action in versions up to, and including, 1.0.0. The handler is exposed via wp_ajax_nopriv_pravel_invoice_edit_account, accepts an attacker-controlled user_id and user_email from POST data, and calls wp_update_user() without verifying authentication, ownership, or a nonce. This makes it possible for unauthenticated attackers to change the email address of any user, including administrators, and then trigger WordPress\u0027s password reset flow to gain access to the targeted account."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-27T04:30:30.508Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ee045d0d-101a-4ae2-b209-4a4865eec195?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/invoice-creator/trunk/lib/user-manage-function.php#L193"
},
{
"url": "https://plugins.trac.wordpress.org/browser/invoice-creator/trunk/lib/user-manage-function.php#L184"
},
{
"url": "https://plugins.trac.wordpress.org/browser/invoice-creator/trunk/lib/user-manage-function.php#L203"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-26T16:05:32.000Z",
"value": "Disclosed"
}
],
"title": "Invoice Generator \u003c= 1.0.0 - Unauthenticated Privilege Escalation via Account Takeover via \u0027user_id\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-12415",
"datePublished": "2026-06-27T04:30:30.508Z",
"dateReserved": "2026-06-16T15:59:27.954Z",
"dateUpdated": "2026-06-29T13:14:02.661Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-12224 (GCVE-0-2026-12224)
Vulnerability from cvelistv5 – Published: 2026-07-01 06:51 – Updated: 2026-07-01 10:32- CWE-269 - Improper Privilege Management
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12224",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-01T10:26:47.266749Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T10:32:04.874Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Dokan Pro",
"vendor": "wedevs",
"versions": [
{
"lessThanOrEqual": "5.0.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "0xd4rk5id3"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Dokan Pro plugin for WordPress is vulnerable to privilege escalation via update_capabilities REST Endpoint in all versions up to, and including, 5.0.4. This is due to the `update_capabilities()` REST handler accepting arbitrary capability strings from the request body and passing them directly to WP_User::add_cap() with no allowlist validation, only verifying that the caller holds the dokandar capability. This makes it possible for authenticated attackers with a self-provisioned Vendor-level access and above, on sites with the Vendor Staff module enabled, to grant arbitrary WordPress capabilities, including administrator, to any vendor_staff account, leading to a full site takeover."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T06:51:06.963Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6ff9c202-b3e8-4660-8763-a9fee468203e?source=cve"
},
{
"url": "https://dokan.co/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-24T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2026-06-14T15:04:59.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-30T17:43:24.000Z",
"value": "Disclosed"
}
],
"title": "Dokan Pro \u003c= 5.0.4 - Authenticated (Vendor+) Privilege Escalation via update_capabilities REST Endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-12224",
"datePublished": "2026-07-01T06:51:06.963Z",
"dateReserved": "2026-06-14T14:48:41.497Z",
"dateUpdated": "2026-07-01T10:32:04.874Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-12217 (GCVE-0-2026-12217)
Vulnerability from cvelistv5 – Published: 2026-06-15 04:00 – Updated: 2026-06-15 14:56| URL | Tags |
|---|---|
| https://vuldb.com/vuln/370860 | vdb-entry |
| https://vuldb.com/vuln/370860/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-12217 | third-party-advisory |
| https://vuldb.com/submit/833857 | third-party-advisory |
| https://winslow1984.com/books/cve-collection/page… | exploit |
| Vendor | Product | Version | |
|---|---|---|---|
| DVDFab | Virtual Drive |
Affected:
2.0.0.5
cpe:2.3:a:dvdfab:virtual_drive:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12217",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-15T14:55:46.982887Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T14:56:23.813Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:dvdfab:virtual_drive:*:*:*:*:*:*:*:*"
],
"modules": [
"Signed Kernel Driver"
],
"product": "Virtual Drive",
"vendor": "DVDFab",
"versions": [
{
"status": "affected",
"version": "2.0.0.5"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "winslow1984 (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security vulnerability has been detected in DVDFab Virtual Drive 2.0.0.5. Impacted is an unknown function in the library dvdfabio.sys of the component Signed Kernel Driver. The manipulation leads to improper privilege management. An attack has to be approached locally. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 8.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.8,
"vectorString": "AV:L/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T04:00:06.971Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-370860 | DVDFab Virtual Drive Signed Kernel Driver dvdfabio.sys privileges management",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/vuln/370860"
},
{
"name": "VDB-370860 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/370860/cti"
},
{
"name": "CVE-2026-12217 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-12217"
},
{
"name": "Submit #833857 | DVDFab DVDFab Virtual Drive 2.0.0.5 Local Privilege Escapation",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/833857"
},
{
"tags": [
"exploit"
],
"url": "https://winslow1984.com/books/cve-collection/page/dvdfab-virtual-drive-kernel-driver-dvdfabiosys-local-privilege-escalation"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-14T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-06-14T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-06-14T15:50:44.000Z",
"value": "VulDB entry last update"
}
],
"title": "DVDFab Virtual Drive Signed Kernel Driver dvdfabio.sys privileges management"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-12217",
"datePublished": "2026-06-15T04:00:06.971Z",
"dateReserved": "2026-06-14T13:45:41.372Z",
"dateUpdated": "2026-06-15T14:56:23.813Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-12165 (GCVE-0-2026-12165)
Vulnerability from cvelistv5 – Published: 2026-06-17 09:30 – Updated: 2026-06-17 10:38- CWE-269 - Improper Privilege Management
| Vendor | Product | Version | |
|---|---|---|---|
| contest-gallery | Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe |
Affected:
0 , ≤ 30.0.2
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12165",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-17T10:38:33.394545Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T10:38:40.424Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Contest Gallery \u2013 Upload \u0026 Vote Photos, Media, Sell with PayPal \u0026 Stripe",
"vendor": "contest-gallery",
"versions": [
{
"lessThanOrEqual": "30.0.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Chloe Chamberland"
},
{
"lang": "en",
"type": "finder",
"value": "PRISM"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Contest Gallery \u2013 Upload \u0026 Vote Photos, Media, Sell with PayPal \u0026 Stripe plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 30.0.2 via the `RegistryUserRole` parameter. This is due to the plugin\u0027s admin menu being registered at the `edit_posts` capability level \u2014 granting Contributor-level users access to the plugin\u0027s admin pages and a valid `cg_admin` nonce \u2014 while the option-saving handler in `change-options-and-sizes.php` performs no `current_user_can()` capability check beyond `check_admin_referer(\u0027cg_admin\u0027)`, and the `RegistryUserRole` value is processed only through `sanitize_text_field()` and `htmlentities()` without restriction to an allowlist of permitted role names. This makes it possible for authenticated attackers, with author-level access and above, to overwrite the plugin\u0027s stored `RegistryUserRole` option with `administrator`, which the `cg_create_wp_user_from_google_user` function then reads back from the `contest_gal1ery_registry_and_login_options` database table without any allowlist validation and passes directly to `wp_update_user()`, effectively promoting a newly registered Google sign-in account to Administrator."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T09:30:59.218Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/69b909da-b1b0-4dab-916c-908511f6556f?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/contest-gallery/tags/30.0.2/v10/v10-admin/options/change-options-and-sizes.php#L1242"
},
{
"url": "https://plugins.trac.wordpress.org/browser/contest-gallery/tags/30.0.2/functions/google/cg-create-wp-user-from-google-user.php#L169"
},
{
"url": "https://plugins.trac.wordpress.org/browser/contest-gallery/tags/30.0.2/v10/v10-admin/options/change-options-and-sizes.php#L16"
},
{
"url": "https://plugins.trac.wordpress.org/browser/contest-gallery/tags/30.0.2/index.php#L407"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3571733%40contest-gallery\u0026new=3571733%40contest-gallery\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-12T19:49:28.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-16T20:57:12.000Z",
"value": "Disclosed"
}
],
"title": "Contest Gallery \u003c= 30.0.2 - Authenticated (Author+) Privilege Escalation via \u0027RegistryUserRole\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-12165",
"datePublished": "2026-06-17T09:30:59.218Z",
"dateReserved": "2026-06-12T19:34:12.938Z",
"dateUpdated": "2026-06-17T10:38:40.424Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11616 (GCVE-0-2026-11616)
Vulnerability from cvelistv5 – Published: 2026-06-09 07:49 – Updated: 2026-06-09 13:32- CWE-269 - Improper Privilege Management
| Vendor | Product | Version | |
|---|---|---|---|
| stiofansisland | Events Calendar for GeoDirectory |
Affected:
0 , ≤ 2.3.28
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11616",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T13:32:11.162009Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T13:32:19.796Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Events Calendar for GeoDirectory",
"vendor": "stiofansisland",
"versions": [
{
"lessThanOrEqual": "2.3.28",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nguyen Hung"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Events Calendar for GeoDirectory plugin for WordPress is vulnerable to Privilege Escalation in versions up to and including 2.3.28. This is due to the ajax_ayi_action() handler only applying strip_tags(esc_sql()) \u2014 with no allow-list \u2014 to the attacker-controlled $_POST[\u0027type\u0027] and $_POST[\u0027postid\u0027] values before forwarding them to update_ayi_data(), which calls update_user_meta($current_user-\u003eID, $rsvp_args[\u0027type\u0027], $posts). By passing type=wp_capabilities and postid=administrator, an attacker writes [\u0027subscriber\u0027=\u003etrue,\u0027administrator\u0027=\u003e\u0027administrator\u0027] into their own wp_capabilities user meta; WP_User::get_role_caps() then treats the \u0027administrator\u0027 array key as an active role on the next request. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to Administrator."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T07:49:56.778Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/11ba187b-1fe4-4077-ad9d-a07660133e91?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/events-for-geodirectory/tags/2.3.28/includes/class-geodir-event-ayi.php#L357"
},
{
"url": "https://plugins.trac.wordpress.org/browser/events-for-geodirectory/tags/2.3.28/includes/class-geodir-event-ayi.php#L154"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3533585%40events-for-geodirectory\u0026new=3533585%40events-for-geodirectory\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-08T19:17:22.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-08T19:02:22.000Z",
"value": "Disclosed"
}
],
"title": "Events Calendar for GeoDirectory \u003c= 2.3.28 - Authenticated (Subscriber+) Privilege Escalation"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-11616",
"datePublished": "2026-06-09T07:49:56.778Z",
"dateReserved": "2026-06-08T19:02:08.537Z",
"dateUpdated": "2026-06-09T13:32:19.796Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation MIT-1
Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Mitigation MIT-48
Strategy: Separation of Privilege
Follow the principle of least privilege when assigning access rights to entities in a software system.
Mitigation MIT-49
Strategy: Separation of Privilege
Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.
CAPEC-122: Privilege Abuse
An adversary is able to exploit features of the target that should be reserved for privileged users or administrators but are exposed to use by lower or non-privileged accounts. Access to sensitive information and functionality must be controlled to ensure that only authorized users are able to access these resources.
CAPEC-233: Privilege Escalation
An adversary exploits a weakness enabling them to elevate their privilege and perform an action that they are not supposed to be authorized to perform.
CAPEC-58: Restful Privilege Elevation
An adversary identifies a Rest HTTP (Get, Put, Delete) style permission method allowing them to perform various malicious actions upon server data due to lack of access control mechanisms implemented within the application service accepting HTTP messages.