An incorrect privilege assignment flaw in Rymera Web Co Pty Ltd's Woocommerce Wholesale Lead Capture plugin can allow a user to elevate privileges, potentially gaining administrator‑level access to the WordPress site. The weakness is identified as CWE‑266, and the vendor description confirms that "Incorrect Privilege Assignment vulnerability in Rymera Web Co Pty Ltd. Woocommerce Wholesale Lead Capture woocommerce‑wholesale‑lead‑capture allows Privilege Escalation." The primary impact is the unauthorized escalation of user roles, compromising the confidentiality, integrity, and availability of the site.

All installations of the Woocommerce Wholesale Lead Capture plugin up to and including version 2.0.3.1 are vulnerable. There are no identified lower bounds, meaning any version from the initial release through 2.0.3.1 is vulnerable.

The CVSS score is 9.8, indicating a critical severity. The EPSS score is reported as < 1%, indicating a low probability of exploitation under normal circumstances, but a compromised user or exposed administrative panel can still leverage the flaw. The vulnerability is not listed in CISA's KEV catalog. Based on the vulnerability description, the likely attack vector involves manipulating role assignments or uploading malicious code through the plugin, provided the attacker has access to an account that can modify roles. The risk remains significant for sites that rely on this plugin and have unrestricted user role changes.