An incorrect privilege assignment flaw in Rymera Web Co Pty Ltd's Woocommerce Wholesale Lead Capture plugin can allow a user to elevate privileges, potentially gaining administrator-level access to the WordPress site. The weakness is identified as CWE-266, and the vendor description confirms that "Incorrect Privilege Assignment vulnerability... allows Privilege Escalation." The primary impact is the unauthorized escalation of user roles, compromising the confidentiality, integrity, and availability of the site.

All installations of the Woocommerce Wholesale Lead Capture plugin up to and including version 2.0.3.1 are affected. There are no identified lower bounds, meaning any version from the initial release through 2.0.3.1 is vulnerable.

The CVSS score of 9.8 indicates a very high severity. Although the EPSS score is not provided, the lack of mitigation measures and the description of privilege escalation suggest a high likelihood of exploitation, especially on sites where the attacker can interact with the plugin or has some compromised credentials. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is inferred from the description of privilege escalation; we infer that an attacker could exploit the flaw by manipulating role assignments or executing plugin code through the WordPress administrative interface. A high risk exists without timely remediation.