Description
Incorrect Privilege Assignment vulnerability in e-plugins Final User final-user allows Privilege Escalation.This issue affects Final User: from n/a through <= 1.2.5.
Published: 2026-01-22
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in e‑plugins Final User plugin involves incorrect privilege assignment that can allow an attacker with limited WordPress permissions to gain administrator level rights. This escalation can lead to full control over site content, configuration, and the ability to exploit other plugins or themes. The flaw is an instance of improper authorization (CWE‑266).

Affected Systems

The issue impacts e‑plugins Final User WordPress plugin versions through 1.2.5. Any WordPress installation using Final User 1.2.5 or older is potentially vulnerable. No other vendors or products are listed.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity. The EPSS score of <1% shows a low probability of automated exploitation being observed. The flaw is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is remote exploitation via the plugin’s administrative screens, inferred from the plugin’s web‑based nature. Attackers could exploit the flaw if they already have a basic user account or can reach the site’s web interface, allowing them to broaden their role to Administrator and compromise confidentiality, integrity, and availability.

Generated by OpenCVE AI on April 29, 2026 at 10:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Final User plugin to the latest release, 1.2.6 or newer, to eliminate the privilege assignment flaw.
  • Deactivate the Final User plugin temporarily until a patched version is installed to prevent exploitation.
  • Review and tighten user role assignments to ensure only trusted administrators have full capabilities.

Generated by OpenCVE AI on April 29, 2026 at 10:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 26 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared E-plugins
E-plugins final User
Wordpress
Wordpress wordpress
Vendors & Products E-plugins
E-plugins final User
Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Incorrect Privilege Assignment vulnerability in e-plugins Final User final-user allows Privilege Escalation.This issue affects Final User: from n/a through <= 1.2.5.
Title WordPress Final User plugin <= 1.2.5 - Privilege Escalation vulnerability
Weaknesses CWE-266
References

Subscriptions

E-plugins Final User
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:45:32.987Z

Reserved: 2025-12-31T20:11:57.533Z

Link: CVE-2025-69293

cve-icon Vulnrichment

Updated: 2026-01-26T21:31:31.344Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:26.487

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-69293

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T10:45:09Z

Weaknesses