Description
Incorrect Privilege Assignment vulnerability in Josh Kohlbach Wholesale Suite woocommerce-wholesale-prices allows Privilege Escalation.This issue affects Wholesale Suite: from n/a through <= 2.2.6.
Published: 2026-03-05
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Patch Now
AI Analysis

Impact

The vulnerability is an incorrect privilege assignment flaw in the Josh Kohlbach Wholesale Suite plugin for WordPress. An attacker who should not possess advanced rights can exploit this defect to gain elevated privileges, potentially becoming an administrator of the WordPress site. With administrative access, the attacker could read, modify, or delete content, alter site settings, or compromise security controls. The weakness is classified as CWE-266, indicating an error in privileged role management.

Affected Systems

WordPress installations that include the Wholesale Suite plugin authored by Josh Kohlbach, with any version up to and including 2.2.6. The precise earliest version that contains the flaw is not documented, so all releases through 2.2.6 are considered vulnerable.

Risk and Exploitability

The CVSS score of 7.1 suggests a moderate to high potential impact, while the EPSS score of less than 1% indicates a very low probability of exploitation under current knowledge. The vulnerability is not listed in the CISA KEV catalog, implying no known widespread active exploitation. Because the flaw involves privilege escalation, the primary attack vector is likely through a logged‑in user with limited rights interacting with the plugin’s functionality, though the exact method is not detailed in the available information.

Generated by OpenCVE AI on April 16, 2026 at 12:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Wholesale Suite plugin to any version newer than 2.2.6 when an update is released.
  • If an update is not immediately available, disable or uninstall the plugin to eliminate the risk until a patched version is available.
  • Review and tighten WordPress user roles, ensuring that only trusted users have administrative capabilities and that role capabilities are not unnecessarily elevated.
  • Maintain up-to-date WordPress core and other plugins, and apply a least‑privilege policy to reduce the attack surface.

Generated by OpenCVE AI on April 16, 2026 at 12:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Josh Kohlbach
Josh Kohlbach wholesale Suite
Wordpress
Wordpress wordpress
Vendors & Products Josh Kohlbach
Josh Kohlbach wholesale Suite
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Incorrect Privilege Assignment vulnerability in Josh Kohlbach Wholesale Suite woocommerce-wholesale-prices allows Privilege Escalation.This issue affects Wholesale Suite: from n/a through <= 2.2.6.
Title WordPress Wholesale Suite plugin <= 2.2.6 - Privilege Escalation vulnerability
Weaknesses CWE-266
References

Subscriptions

Josh Kohlbach Wholesale Suite
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:17.505Z

Reserved: 2026-02-20T11:18:46.193Z

Link: CVE-2026-27541

cve-icon Vulnrichment

Updated: 2026-03-09T14:33:32.672Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:29.953

Modified: 2026-03-09T15:15:57.680

Link: CVE-2026-27541

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T12:45:35Z

Weaknesses