Description
Incorrect Privilege Assignment vulnerability in e-plugins Hospital Doctor Directory hospital-doctor-directory allows Privilege Escalation.This issue affects Hospital Doctor Directory: from n/a through <= 1.3.9.
Published: 2026-01-22
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Hospital Doctor Directory plugin from e-plugins contains an incorrect privilege assignment flaw that allows an attacker to elevate their permissions within the WordPress site. The vulnerability is classified as CWE‑266, indicating a weakness in controlling team or user access rights. An attacker who can trigger the flaw would gain elevated privileges, potentially allowing full administrative control over the WordPress installation.

Affected Systems

This issue affects the e‑plugins Hospital Doctor Directory plugin for all versions from the earliest revision through 1.3.9. The vulnerability is present in any WordPress site that has not upgraded beyond 1.3.9, regardless of custom configuration or theme.

Risk and Exploitability

The CVSS score of 8.8 highlights a high severity risk, while the EPSS score of less than 1% suggests a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, which further indicates limited exploitation activity. Based on the description, the likely attack path involves authenticating to the WordPress admin area and exploiting the plugin’s privilege assignment logic, though the exact prerequisites are not detailed in the report.

Generated by OpenCVE AI on April 29, 2026 at 10:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Hospital Doctor Directory to a version later than 1.3.9 if a newer release is available
  • If an upgrade is not possible, consider disabling or uninstalling the plugin to eliminate the privilege escalation vector
  • After remediation, review user roles and permissions in WordPress to ensure no elevated privileges remain assigned by the plugin

Generated by OpenCVE AI on April 29, 2026 at 10:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 27 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared E-plugins
E-plugins hospital & Doctor Directory
Wordpress
Wordpress wordpress
Vendors & Products E-plugins
E-plugins hospital & Doctor Directory
Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Incorrect Privilege Assignment vulnerability in e-plugins Hospital Doctor Directory hospital-doctor-directory allows Privilege Escalation.This issue affects Hospital Doctor Directory: from n/a through <= 1.3.9.
Title WordPress Hospital Doctor Directory plugin <= 1.3.9 - Privilege Escalation vulnerability
Weaknesses CWE-266
References

Subscriptions

E-plugins Hospital & Doctor Directory
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:43:42.039Z

Reserved: 2025-12-29T11:20:07.744Z

Link: CVE-2025-69183

cve-icon Vulnrichment

Updated: 2026-01-27T21:45:30.460Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:24.833

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-69183

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T10:15:08Z

Weaknesses