CVE-2025-23528 - Vulnerability Details

- WordPress DD Roles plugin <= 4.1 - Privilege Escalation vulnerability

Description

Incorrect Privilege Assignment vulnerability in Mosterd3d DD Roles dd-roles allows Privilege Escalation.This issue affects DD Roles: from n/a through <= 4.1.

Published: 2025-01-16

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability arises from incorrect privilege assignment within the DD Roles plugin produced by Mosterd3d. Attackers can exploit this flaw to elevate their user role, thereby gaining higher authority than intended. The likely attack vector is via manipulation of role assignment features when an authenticated user submits privileged changes. The weakness lies in the improper handling of user permissions, as indicated by CWE-266.

Affected Systems

WordPress sites that load the DD Roles plugin from Mosterd3d, specifically all releases up to and including version 4.1.

Risk and Exploitability

The likely attack vector is through authenticated manipulation of role assignment settings. The vulnerability scores a CVSS of 8.8, signaling high severity, but its EPSS of less than 1% suggests exploitation is unlikely at present and the issue is not yet recorded in CISA’s KEV catalog. Based on the description, it is inferred that the attacker needs at least a basic authenticated role; from there, they can manipulate role assignments or inject higher‑level permissions. No public exploit is known, but the potential impact on confidentiality, integrity, and all user accounts warrants caution.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Mosterd3d

DD Roles

unaffected

Version	Status	Constraints
`0`	affected	≤ 4.1

No data.

Vendor	Product	Confidence	Versions
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update or replace the DD Roles plugin with a version newer than 4.1, or uninstall the plugin if no upgrade exists.
Limit administrative access and restrict user roles, ensuring that only trusted accounts can edit role assignments.
Audit current user roles and revoke any unintended elevated permissions that may have been granted prior to applying a fix.
Apply standard security hardening practices for WordPress, such as using strong passwords, two‑factor authentication, and regular patch management.

Generated by OpenCVE AI on May 2, 2026 at 06:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-3229	Incorrect Privilege Assignment vulnerability in Wouter Dijkstra DD Roles allows Privilege Escalation.This issue affects DD Roles: from n/a through 4.1.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00111.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://patchstack.com/database/Wordpress/Plugin/dd-roles/vulnerability/wordpress-dd-roles-plugin-4-1-privilege-escalation-vulnerability?_s_id=cve

History

Wed, 29 Apr 2026 10:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description	Incorrect Privilege Assignment vulnerability in Wouter Dijkstra DD Roles allows Privilege Escalation.This issue affects DD Roles: from n/a through 4.1.	Incorrect Privilege Assignment vulnerability in Mosterd3d DD Roles dd-roles allows Privilege Escalation.This issue affects DD Roles: from n/a through <= 4.1.
References	https://patchstack.com/database/wordpress/plugin/dd-roles/vulnerability/wordpress-dd-roles-plugin-4-1-privilege-escalation-vulnerability?_s_id=cve	https://patchstack.com/database/Wordpress/Plugin/dd-roles/vulnerability/wordpress-dd-roles-plugin-4-1-privilege-escalation-vulnerability?_s_id=cve
Metrics	cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Fri, 17 Jan 2025 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 16 Jan 2025 20:15:00 +0000

Type	Values Removed	Values Added
Description		Incorrect Privilege Assignment vulnerability in Wouter Dijkstra DD Roles allows Privilege Escalation.This issue affects DD Roles: from n/a through 4.1.
Title		WordPress DD Roles plugin <= 4.1 - Privilege Escalation vulnerability
Weaknesses		CWE-266
References		https://patchstack.com/database/wordpress/plugin/dd-roles/vulnerability/wordpress-dd-roles-plugin-4-1-privilege-escalation-vulnerability?_s_id=cve
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2025-01-16T20:06:16.245Z

Updated: 2026-05-11T22:56:13.108Z

Reserved: 2025-01-16T11:25:49.095Z

Link: CVE-2025-23528

Vulnrichment

Updated: 2025-01-17T17:14:15.656Z

NVD

Status : Deferred

Published: 2025-01-16T20:15:38.480

Modified: 2026-04-29T10:16:40.900

Link: CVE-2025-23528

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-02T06:30:36Z

Weaknesses

CWE-266

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object