An incorrect privilege assignment flaw in the PenciDesign Soledad theme allows an attacker to gain higher permissions than those normally granted by their WordPress role. The defect enables the theme to mis‑assign capabilities during its operation, thereby giving users the ability to perform administrative actions. The weakness is classified as CWE‑266, indicating improper privilege management even though the exploit only requires some form of authenticated access or the ability to send crafted requests to the theme’s code.

The vulnerability affects the WordPress Soledad theme produced by PenciDesign. All releases of the theme from its first public version up to and including 8.6.9 are impacted. Any WordPress site that incorporates any of those theme versions is at risk of having its user privileges escalated by an attacker.

The CVSS score of 9.8 marks this flaw as critical, while the EPSS < 1% indicates that the probability of exploitation is currently low but not zero. The theme’s privilege logic is exposed through its public or administrative interfaces; an attacker with limited permissions can potentially inject requests or submit forms that trigger the incorrect assignment, leading to full administrative control. The vulnerability is not listed in CISA’s KEV catalog, but the severity warrants prompt action. Because the flaw can be exploited remotely and the damage is substantial, organizations should treat it as a high‑risk issue and remediate immediately.