Description
The Melapress Role Editor plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.1.1. This is due to a misconfigured capability check on the 'save_secondary_roles_field' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to assign themselves additional roles including Administrator.
Published: 2026-01-23
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation via Improper Authorization
Action: Patch
AI Analysis

Impact

The Melapress Role Editor plugin for WordPress is vulnerable because the function responsible for saving secondary roles performs an incorrect capability check. An authenticated user with a Subscriber role or higher can exploit this flaw to assign themselves additional roles, including Administrator. This elevation of privilege allows the attacker to execute any action available to an Administrator, compromising the confidentiality, integrity, and availability of the entire WordPress site. The flaw is categorized as a weak authority check, corresponding to CWE-863.

Affected Systems

All installations of the Melapress Role Editor plugin running versions 1.1.1 or earlier are vulnerable. Any WordPress site that has installed or downloaded the plugin in these or earlier releases is affected.

Risk and Exploitability

The CVSS base score of 8.8 indicates high severity. The EPSS score is less than 1 %, suggesting that actual exploitation attempts are currently rare or undocumented. The vulnerability is not listed in the CISA KEV catalog. Because the flaw requires the attacker to be authenticated, the attack vector is local to the WordPress admin interface; an attacker can trigger the escalation simply by accessing the secondary role assignment UI from their account.

Generated by OpenCVE AI on April 22, 2026 at 20:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Melapress Role Editor plugin to the latest version that contains the proper capability check.
  • If an update is unavailable, prevent the vulnerable function from executing by disabling the secondary role assignment feature, such as by removing or commenting out the relevant code or plugin settings.
  • Ensure that no Subscriber or lower‑privileged users have been granted Administrator privileges; revoke any unexpected roles and review the site’s user list.

Generated by OpenCVE AI on April 22, 2026 at 20:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 26 Jan 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 23 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 12:45:00 +0000

Type Values Removed Values Added
Description The Melapress Role Editor plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.1.1. This is due to a misconfigured capability check on the 'save_secondary_roles_field' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to assign themselves additional roles including Administrator.
Title Melapress Role Editor <= 1.1.1 - Improper Authorization to Authenticated (Subscriber+) Privilege Escalation via Secondary Role Assignment
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:33:17.740Z

Reserved: 2025-12-18T01:55:21.873Z

Link: CVE-2025-14866

cve-icon Vulnrichment

Updated: 2026-01-23T14:13:46.844Z

cve-icon NVD

Status : Deferred

Published: 2026-01-23T13:15:47.983

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14866

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T20:15:20Z

Weaknesses