The User Management plugin for WordPress contains an incorrect privilege assignment flaw that enables a user to elevate their access level beyond what is intended. This vulnerability allows an attacker who can manipulate the plugin’s user management functions to grant themselves higher privileges, potentially bypassing built‑in role restrictions.

The flaw affects the Saad Iqbal User Management plugin for WordPress in all releases from the earliest available version up through version 1.2. Any WordPress installation utilizing this plugin with a version 1.2 or earlier is vulnerable.

Based on the description, it is inferred that an attacker would likely exploit the flaw by compromising the web interface of the WordPress site, where the plugin operates, and then issuing specially crafted requests to the user‑management endpoints to modify role assignments. The CVSS score of 8.8 reflects a high severity risk. The EPSS score of less than 1% indicates a very low probability of exploitation at this time, and the vulnerability is not listed in CISA’s KEV catalog. The exploitation requires authentication or access to the administrative interface, suggesting a moderate to high effort attack vector.