The Simple User Registration plugin for WordPress contains an insufficient restriction in the profile_save_field routine. This flaw allows any authenticated user with a minimal role, such as a subscriber, to alter their role by supplying the wp_capabilities parameter during a profile update. As a result, the attacker can elevate permissions, gain access to restricted content or administrative functions, and potentially modify site data or settings. The weakness stems from an authorization bypass, categorized as CWE‑284.

WordPress installations that employ the nmedia Simple User Registration plugin, version 6.7 or earlier. Sites using versions up to and including 6.7 are susceptible, while the bundled 6.8 release removes the vulnerable code path.

The vulnerability has a CVSS score of 8.8, indicating high severity, yet the EPSS score is below 1 %, suggesting a low probability of widespread exploitation as of the latest data. Because the flaw requires only an authenticated user role, the attack surface is broadened, though it is not listed in the CISA KEV catalog. The attack path is straightforward: an attacker logs in, submits a profile update containing wp_capabilities, and the plugin grants elevated privileges without checking the user’s current role. Organizations should treat this as a high‑risk change due to the potential for local privilege escalation within the WordPress environment.