The vulnerability involves an incorrect privilege assignment in the bPlugins Advanced scrollbar plugin for WordPress. This flaw, identified as CWE‑266, enables an attacker to gain higher permissions within the site, potentially elevating a normal user role to an administrator level. The issue is triggered by the plugin’s handling of user privileges and can be exploited by any user that can interact with the plugin’s interfaces.

All releases of the Advanced scrollbar plugin up to and including version 1.1.8 are affected. WordPress installations that have any of these invalidated versions installed are at risk. The flaw is independent of the core WordPress version and requires only that the vulnerable plugin be present and active.

The CVSS score of 8.8 indicates a high severity for privilege escalation. The EPSS score of less than 1 % suggests exploitation in the wild is presently uncommon, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is a user who can access the WordPress administration interface or who can influence the plugin’s behavior; the description does not detail a technical exploitation method, so this vector is inferred from the plugin’s purpose and the nature of the flaw. If successfully exploited, an attacker would gain elevated privileges that could be used for full control over the site’s content and settings.