Description
Incorrect Privilege Assignment vulnerability in bPlugins Voice Feedback voice-feedback allows Privilege Escalation.This issue affects Voice Feedback: from n/a through <= 1.0.3.
Published: 2025-10-22
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WordPress plugin Voice Feedback from bPlugins contains an incorrect privilege assignment flaw that permits an attacker to elevate privileges beyond what is intended. This flaw is categorized as CWE‑266: Improper Privilege Management and can allow a malicious user to gain elevated capabilities on the WordPress site, potentially enabling them to access restricted content or modify settings.

Affected Systems

The vulnerability affects all installations of the Voice Feedback plugin version 1.0.3 and earlier, which are distributed via WordPress. Users running the plugin on any WordPress site are potentially exposed.

Risk and Exploitability

The severity of the flaw is reflected in a CVSS v3 score of 8.8, indicating high potential impact. The EPSS score of less than 1% suggests that, while exploitation is possible, the probability of widespread attacks remains low. The vulnerability is not listed in the CISA KEV catalog. The description does not specify whether remote access is required, but the flaw concerns privilege assignment, implying that an attacker with some level of authenticated access, such as an existing registered user, could leverage it to elevate privileges. Therefore, attackers could potentially take full control of the WordPress site if they exploit this flaw.

Generated by OpenCVE AI on April 29, 2026 at 14:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Voice Feedback plugin to the latest available version (greater than 1.0.3) as provided by bPlugins.
  • If an immediate upgrade is not possible, disable or remove the plugin until a patched version is deployed to eliminate the attack surface.
  • Review and adjust user role assignments on the site, ensuring that the capabilities granted to each role conform to the principle of least privilege, to mitigate similar privilege assignment vulnerabilities.

Generated by OpenCVE AI on April 29, 2026 at 14:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Fri, 24 Oct 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 24 Oct 2025 13:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 23 Oct 2025 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 22 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
Description Incorrect Privilege Assignment vulnerability in bPlugins Voice Feedback voice-feedback allows Privilege Escalation.This issue affects Voice Feedback: from n/a through <= 1.0.3.
Title WordPress Voice Feedback plugin <= 1.0.3 - Privilege Escalation vulnerability
Weaknesses CWE-266
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T18:46:27.269Z

Reserved: 2025-10-07T15:34:03.909Z

Link: CVE-2025-62007

cve-icon Vulnrichment

Updated: 2025-10-24T12:47:32.764Z

cve-icon NVD

Status : Deferred

Published: 2025-10-22T15:16:02.530

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-62007

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T14:15:14Z

Weaknesses
  • CWE-266

    Incorrect Privilege Assignment