Description
Incorrect Privilege Assignment vulnerability in Unity Business Technology Pty Ltd The E-Commerce ERP profitori allows Privilege Escalation.This issue affects The E-Commerce ERP: from n/a through <= 2.1.1.3.
Published: 2025-07-16
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from incorrect assignment of user privileges in the WordPress plugin The E-Commerce ERP, allowing a user to elevate their privileges beyond those intended. This flaw directly maps to CWE-266, as it permits malicious actors to gain administrative authority without proper authorization, potentially compromising the entire WordPress site.

Affected Systems

The flaw affects Unity Business Technology Pty Ltd’s The E-Commerce ERP plugin up to and including version 2.1.1.3. All installations of this plugin within that version range are vulnerable.

Risk and Exploitability

The CVSS score of 9.8 signals a critical severity and the EPSS score of less than 1% indicates that actual exploitation is currently considered unlikely, and it is not listed in the CISA KEV catalog. The attack path most likely involves interacting with the plugin’s web interface, but the exact vector is not explicitly documented in the advisory, so this is inferred from typical WordPress plugin behavior. An attacker who can manipulate the plugin’s privilege logic can gain unrestricted administrative access to the WordPress installation.

Generated by OpenCVE AI on April 30, 2026 at 16:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade The E-Commerce ERP plugin to the most recent release from Unity Business Technology Pty Ltd that is newer than version 2.1.1.3, ensuring the privilege assignment fix is included.
  • Verify that no non‑administrator roles are assigned administrative capabilities within the plugin’s role configuration.
  • If an immediate plugin upgrade is not possible, restrict external access to the plugin’s administrative endpoints by configuring firewall or web server rules to allow only authenticated administrator accounts.

Generated by OpenCVE AI on April 30, 2026 at 16:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-21641 Incorrect Privilege Assignment vulnerability in Unity Business Technology Pty Ltd The E-Commerce ERP allows Privilege Escalation. This issue affects The E-Commerce ERP: from n/a through 2.1.1.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Incorrect Privilege Assignment vulnerability in Unity Business Technology Pty Ltd The E-Commerce ERP allows Privilege Escalation. This issue affects The E-Commerce ERP: from n/a through 2.1.1.3. Incorrect Privilege Assignment vulnerability in Unity Business Technology Pty Ltd The E-Commerce ERP profitori allows Privilege Escalation.This issue affects The E-Commerce ERP: from n/a through <= 2.1.1.3.
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 16 Jul 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00043}

Wed, 16 Jul 2025 11:45:00 +0000

Type Values Removed Values Added
Description Incorrect Privilege Assignment vulnerability in Unity Business Technology Pty Ltd The E-Commerce ERP allows Privilege Escalation. This issue affects The E-Commerce ERP: from n/a through 2.1.1.3.
Title WordPress The E-Commerce ERP <= 2.1.1.3 - Privilege Escalation Vulnerability
Weaknesses CWE-266
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:20.050Z

Reserved: 2025-06-19T10:03:50.594Z

Link: CVE-2025-52836

cve-icon Vulnrichment

Updated: 2025-07-16T18:49:57.737Z

cve-icon NVD

Status : Deferred

Published: 2025-07-16T12:15:29.793

Modified: 2026-04-23T15:32:15.950

Link: CVE-2025-52836

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T16:45:26Z

Weaknesses