The SmartSEO plugin contains an incorrect privilege assignment flaw that permits users to elevate their privileges within a WordPress site, allowing an attacker to gain higher capabilities than originally granted. This is recorded as a control‑flow and access‑control weakness (CWE‑266) that can compromise confidentiality, integrity, and availability by potentially giving an attacker full site control.

The vulnerability affects the SmartSEO plugin from axiomthemes in all releases up to and including version 4.0. Any WordPress installation that includes this plugin and is using a version within that range is at risk.

The CVSS score of 9.8 indicates a critical severity, and the EPSS score of less than 1% suggests that mass exploitation is unlikely but the issue remains dangerous for targeted attacks. Based on the description, it is inferred that the attack vector requires a user to authenticate to the WordPress site and interact with the plugin’s administrative interface; therefore, the exploitation is likely local, leveraging normal WordPress authentication. Because the flaw is an incorrect privilege assignment, an attacker who already has basic access or who can trick a user into performing a specific action can elevate to an administrator level, putting the entire site at risk. The vulnerability is not currently listed in CISA’s KEV catalog.