Description
Incorrect Privilege Assignment vulnerability in mojoomla WPAMS apartment-management allows Privilege Escalation.This issue affects WPAMS: from n/a through <= 44.0 (17-08-2023).
Published: 2025-05-19
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WPAMS apartment‑management plugin contains an incorrect privilege assignment flaw that allows an attacker to increase their privileges within the plugin. An unauthorized user who can trigger the affected functionality could gain higher permissions, potentially enabling them to modify or delete apartment management data, alter user roles, or gain unauthorized administrative access. The flaw can directly compromise the confidentiality, integrity, and availability of the WordPress site.

Affected Systems

The vulnerability affects the WordPress plugin WPAMS developed by mojoomla. All installations running versions up to and including 44.0 as of 17‑08‑2023 are impacted. No specific installation or environment details are provided beyond the plugin version.

Risk and Exploitability

The CVSS score of 8.8 indicates a high‑severity vulnerability. The EPSS score of less than 1% suggests that the probability of exploitation observed in the wild is currently low, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector requires an authenticated user who can access the plugin’s management interface; the attacker would exploit the improper privilege assignment to elevate their access level. Because the issue is tied to a user permission error, an attacker would need at least read or limited write ability within WordPress to exploit it.

Generated by OpenCVE AI on April 30, 2026 at 19:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WPAMS plugin to the latest version that contains the privilege assignment fix.
  • If an update is unavailable, disable or uninstall the plugin to eliminate the attack surface.
  • Review and tighten WordPress user roles and capabilities, ensuring that only trusted administrators have access to the apartment‑management features.
  • Monitor audit logs for anomalous privilege changes or unauthorized access attempts.

Generated by OpenCVE AI on April 30, 2026 at 19:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-15764 Incorrect Privilege Assignment vulnerability in mojoomla WPAMS allows Privilege Escalation.This issue affects WPAMS: from n/a through 44.0 (17-08-2023).
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Incorrect Privilege Assignment vulnerability in mojoomla WPAMS allows Privilege Escalation.This issue affects WPAMS: from n/a through 44.0 (17-08-2023). Incorrect Privilege Assignment vulnerability in mojoomla WPAMS apartment-management allows Privilege Escalation.This issue affects WPAMS: from n/a through <= 44.0 (17-08-2023).
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Mon, 19 May 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 19 May 2025 19:15:00 +0000

Type Values Removed Values Added
Description Incorrect Privilege Assignment vulnerability in mojoomla WPAMS allows Privilege Escalation.This issue affects WPAMS: from n/a through 44.0 (17-08-2023).
Title WordPress WPAMS plugin <= 44.0 (17-08-2023) - Privilege Escalation vulnerability
Weaknesses CWE-266
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:30.272Z

Reserved: 2025-04-16T06:22:51.799Z

Link: CVE-2025-39405

cve-icon Vulnrichment

Updated: 2025-05-19T21:13:26.450Z

cve-icon NVD

Status : Deferred

Published: 2025-05-19T19:15:48.777

Modified: 2026-04-23T15:29:29.523

Link: CVE-2025-39405

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T19:45:26Z

Weaknesses