The vulnerability is an incorrect privilege assignment in the Dasinfomedia WPCHURCH WordPress plugin that allows an attacker to elevate privileges. An attacker who can leverage the flaw can gain higher role capabilities than they originally possess, potentially gaining full site administrative access. This weakness is categorized as CWE‑266, which reflects unauthorized privilege escalation.

All installations of the WPCHURCH plugin belonging to Dasinfomedia, specifically versions up to and including 2.7.0, are impacted. The vulnerability applies to every WordPress site that has the plugin installed and has not yet been updated beyond 2.7.0.

With a CVSS score of 8.8 the flaw is considered high severity, and the EPSS score of less than 1 % indicates a low probability of widespread exploitation, though the lack of a KEV listing does not negate its risk. The impact is limited to sites where the attacker can execute privileged functions; compromising user roles is usually sufficient to escape the scope of standard permissions, which could lead to full control over the WordPress installation. The likely attack vector is a local attacker who can authenticate but is assigned a lower role, or an attacker who has injection to modify role mappings. The vulnerability would be exploited by an attacker that can send a crafted request to the plugin's API or interface to reassign capabilities.