An incorrect privilege assignment flaw in AA‑Team Premium Age Verification / Restriction for WordPress and AA‑Team Responsive Coming Soon Landing Page / Holding Page for WordPress allows an attacker to elevate their access level beyond what the plugin is intended to permit. By exploiting this weakness, an attacker could gain higher‑privileged permissions within the WordPress installation, enabling the execution of actions usually reserved for administrators. The flaw falls under CWE‑266, which highlights improper authorization controls and can compromise the integrity of the system.

The vulnerability affects AA‑Team Premium Age Verification / Restriction for WordPress up through version 3.0.2 and AA‑Team Responsive Coming Soon Landing Page / Holding Page for WordPress up through version 3.0. No earlier launch date is specified. Users running these plugins on any WordPress site are potentially impacted unless they have upgraded to a fixed release.

With a CVSS score of 8.8 the flaw is classified as High. The EPSS score is less than 1%, indicating a low exploitation probability, and it is not listed in the CISA KEV catalog. The likely attack vector is remote: a non‑privileged user or a script can send a crafted request to the vulnerable plugin’s endpoints, triggering the privilege escalation. Although exploitation is considered improbable, the severity of the impact warrants prompt action.