Missing authorization in the User Roles and Capabilities plugin allows an attacker to change or elevate user roles within a WordPress site, potentially granting unauthorized administrative access. The flaw stems from incorrectly configured access control checks and is classified as CWE‑862. The consequence is loss of integrity and confidentiality of site content and configuration, with the possibility of full site takeover if the attacker can assign administrator rights.

The vulnerability affects installations of the User Roles and Capabilities plugin by mahabub81, version 1.2.6 and earlier. Any WordPress site running this plugin without newer patch versions is at risk.

The CVSS score of 4.3 indicates low overall severity, and the EPSS score of less than 1% shows a very low probability of exploitation in the wild. The flaw is not listed in the CISA KEV catalog. Based on the description, it is inferred that attackers would need access to the administrative interface, or a user account with some permissions, to leverage the missing checks—typically by navigating the plugin’s role‑management pages. Once the flaw is abused, privilege escalation can occur within the affected site.