Description
The Email Notifications for Updates plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the awun_import_settings() function in all versions up to, and including, 1.1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. CVE-2025-26741 is likely a duplicate of this issue.
Published: 2025-04-05
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Patch Immediately
AI Analysis

Impact

The Email Notifications for Updates plugin for WordPress contains a missing capability check in the awun_import_settings() function. The flaw allows authenticated users with Subscriber-level access or higher to update arbitrary WordPress options. By changing the default role for new registrations to administrator and enabling user registration, an attacker can create a new administrative account. This bypasses normal access controls and can lead to full site compromise.

Affected Systems

All installations of WordPress that use the Email Notifications for Updates plugin version 1.1.6 or earlier are affected. The vulnerability applies to any user with a Subscriber role or higher, as the missing check is in the plugin code for all affected releases.

Risk and Exploitability

The CVSS score of 8.8 reflects a high severity issue. The EPSS score of less than 1% indicates current exploitation is rare, and the flaw is not listed in CISA's KEV catalog. However, because the vulnerability only requires an authenticated Subscriber account, many sites may have users that meet this requirement. Exploitation would involve an attacker logging in as a subscriber, invoking the awun_import_settings() endpoint with crafted option values (e.g., default_role=administrator, user_registration=1), and thereby creating an administrative user. The root weakness is a missing authorization check (CWE‑862).

Generated by OpenCVE AI on April 20, 2026 at 23:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Email Notifications for Updates plugin to version 1.1.7 or later, which adds the proper capability check before modifying options.
  • If an update is not available, remove or disable the plugin entirely to eliminate the attack surface.
  • Restrict Subscriber role capabilities to prevent arbitrary option updates, and review the site’s role and registration settings to ensure the default role remains Subscriber and user registration is disabled unless intentionally allowed.

Generated by OpenCVE AI on April 20, 2026 at 23:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-10021 The Email Notifications for Updates plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the awun_import_settings() function in all versions up to, and including, 1.1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
History

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description The Email Notifications for Updates plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the awun_import_settings() function in all versions up to, and including, 1.1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. The Email Notifications for Updates plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the awun_import_settings() function in all versions up to, and including, 1.1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. CVE-2025-26741 is likely a duplicate of this issue.

Mon, 07 Apr 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 05 Apr 2025 02:15:00 +0000

Type Values Removed Values Added
Title Email Notifications for Updates <= 1.1.6 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update

Sat, 05 Apr 2025 03:00:00 +0000

Type Values Removed Values Added
Description The Email Notifications for Updates plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the awun_import_settings() function in all versions up to, and including, 1.1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:25:59.683Z

Reserved: 2025-03-28T16:51:52.574Z

Link: CVE-2025-2933

cve-icon Vulnrichment

Updated: 2025-04-07T13:05:09.420Z

cve-icon NVD

Status : Deferred

Published: 2025-04-05T02:15:15.477

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-2933

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T23:30:16Z

Weaknesses