The vulnerability in the Custom Fields Account Registration For Woocommerce plugin is an Incorrect Privilege Assignment flaw (CWE-266). It allows an attacker to change the role assigned to a user during account registration or via custom fields, leading to unintended elevation of privileges. The result is that a lower‑privileged user can gain higher‑level permissions, potentially accessing or modifying sensitive data and compromising the site.

This flaw affects all WordPress sites that use the silverplugins217 Custom Fields Account Registration For Woocommerce plugin version 1.2 and earlier. The issue exists from the earliest available version (n/a) up to and including 1.2. Site administrators should verify installations of this plugin and the current plugin version.

The CVSS score of 7.2 indicates high severity, while the EPSS score of < 1% shows a low current exploitation probability, and the issue is not listed in CISA KEV. The likely attack vector is via the plugin’s user registration form or API endpoints that accept custom fields; an attacker who can craft a registration request or manipulate a custom field may trigger the privilege escalation. Exploitation requires the ability to submit data to the plugin, which is typically available to unauthenticated users, so the vector is considered local to the web application.