An incorrect privilege assignment flaw in Holest Engineering’s Selling Commander for WooCommerce plugin allows a user who is authenticated with insufficient rights to elevate their privileges to that of an administrator or superuser. The weakness corresponds to CWE‑266: Default Credentials or Poor Credential Management. If exploited, an attacker could gain full control over the WordPress site, including content modification, plugin disabling, and potentially other administrative functions.

The vulnerability affects the Holest Engineering Selling Commander for WooCommerce plugin, specifically all releases from the first available version through and including 1.2.46. This plugin is installed as a WordPress extension that integrates with WooCommerce to provide additional sales and shipping functionality.

The CVSS score of 9.8 signals a critical severity. The EPSS score of less than 1% indicates a low probability of exploitation at the current time, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the attack vector likely requires an authenticated user with limited privileges who can then execute the escalation. No remote code execution or denial‑of‑service conditions are disclosed, but the impact is the unauthorized escalation to full site administration.