Description
The Simple User Capabilities plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the suc_submit_capabilities() function in all versions up to, and including, 1.0. This makes it possible for unauthenticated attackers to elevate the role of any user account to administrator.
Published: 2025-11-04
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Privilege Escalation to Administrator
Action: Apply Patch
AI Analysis

Impact

The Simple User Capabilities plugin for WordPress is affected by a missing capability check in the suc_submit_capabilities() function. This flaw allows an attacker who has not logged in to elevate any existing user account’s role to Administrator. The vulnerability is a classic missing authorization flaw (CWE‑862), which can lead to full control of the site, content theft, and further exploitation of any other installed plugin or theme weaknesses.

Affected Systems

WordPress sites running the tanvirahmed1984 Simple User Capabilities plugin, versions up to and including 1.0 are affected.

Risk and Exploitability

The CVSS score of 9.8 indicates a critical severity, but the EPSS score of less than 1% suggests that widespread exploitation is currently unlikely. The vulnerability is not listed in CISA’s KEV catalog. An attacker can achieve privilege escalation through an unauthenticated HTTP request that triggers the vulnerable function, resulting in the ability to modify the role of any user to administrator.

Generated by OpenCVE AI on April 21, 2026 at 01:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a released version of Simple User Capabilities that includes proper capability checks, or if none is available, remove the plugin from the site immediately.
  • Disable or restrict the plugin’s capability‑management features until a patch is applied, ensuring that only existing administrators can modify roles.
  • Implement monitoring of user role changes in WordPress logs to detect unauthorized elevation attempts and respond promptly.

Generated by OpenCVE AI on April 21, 2026 at 01:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 04 Nov 2025 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 04 Nov 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 04 Nov 2025 04:45:00 +0000

Type Values Removed Values Added
Description The Simple User Capabilities plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the suc_submit_capabilities() function in all versions up to, and including, 1.0. This makes it possible for unauthenticated attackers to elevate the role of any user account to administrator.
Title Simple User Capabilities <= 1.0 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:28:01.795Z

Reserved: 2025-10-24T13:21:01.016Z

Link: CVE-2025-12158

cve-icon Vulnrichment

Updated: 2025-11-04T15:01:53.557Z

cve-icon NVD

Status : Deferred

Published: 2025-11-04T05:16:10.083

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12158

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T02:00:12Z

Weaknesses