Premmerce User Roles is vulnerable to missing authorization, enabling attackers to bypass intended access restrictions and perform actions reserved for privileged users. This flaw arises from incorrectly configured access control security levels, potentially allowing an attacker to create, modify, or delete user roles and capabilities. The weakness corresponds to CWE‑862, emphasizing that the software fails to verify a user’s authorization before allowing a privileged operation, thereby compromising the integrity and confidentiality of user management functions.

The vulnerability impacts the Premmerce WordPress plugin named Premmerce User Roles, affecting all installations using version 1.0.13 or earlier. Any WordPress site that has this plugin active and has not been upgraded beyond the stated version is therefore at risk.

With a CVSS score of 4.3, the severity is moderate, but the EPSS score of less than 1% indicates a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog, which suggests that no widespread exploitation has been documented. However, because the flaw permits privilege escalation through absent authorization, an attacker could potentially gain management access if the plugin is configured to allow broad role creation or modification. The attack vector is likely internal or remote if the attacker has partial site access, and the exploitability hinges on the attacker’s ability to trigger the plugin’s role management functions without proper permission checks. Given the low EPSS and moderate CVSS, the risk is lower than high‑severity bugs but still warrants timely remediation, especially on sites that rely heavily on custom role configurations.