The vulnerability is an incorrect privilege assignment flaw in the mojoomla Hospital Management System WordPress plugin that permits attackers to raise their privileges to higher levels, potentially gaining administrative access to patient data and system settings. The affected code paths allow a user with a lower role to execute functions reserved for administrators, violating the principle of least privilege. The weakness is identified as CWE‑266, reflecting insecure privilege management.

The issue affects the mojoomla Hospital Management System WordPress plugin, specifically versions from 47.0 (dated 20‑11‑2023) and earlier. Users running this plugin on any WordPress installation should verify their plugin version and update if possible.

The CVSS score of 8.8 indicates a high severity vulnerability. The EPSS score of less than 1 % suggests a low likelihood of exploitation at present, and the vulnerability is not listed in CISA’s KEV catalog. Nevertheless, an attacker who has authenticated as a user with at least basic privileges could exploit the flaw by sending crafted requests that bypass the proper role checks. Because the attack requires only an existing account and no additional privileges, the vulnerability can be leveraged by malicious users who have obtained credentials or by exploiting social‑engineering or credential‑reuse attacks. The potential impact includes unauthorized access to sensitive medical records and administrative control of the system.