Description
Incorrect Privilege Assignment vulnerability in Andrew Munro / AffiliateWP RewardsWP rewardswp allows Privilege Escalation.This issue affects RewardsWP: from n/a through <= 1.0.4.
Published: 2026-03-25
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

The plugin contains an incorrect privilege assignment flaw that allows a non‑administrator user to elevate their permissions to a level that grants full control over the WordPress site. This weakness is manifest as a direct privilege escalation vulnerability (CWE‑266). An attacker who can execute any code in the plugin’s context can potentially gain full administrative rights, compromising confidentiality, integrity, and availability of the entire website.

Affected Systems

The vulnerability affects the RewardsWP plugin developed by Andrew Munro / AffiliateWP. Any installation running a version from the earliest releases up to and including 1.0.4 is susceptible. WordPress sites that have not upgraded past this version are at risk.

Risk and Exploitability

The CVSS base score of 9.8 highlights an extremely high severity, while the EPSS score of less than 1% suggests the exploit is unlikely to be widely observed at present. The flaw is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector requires an authenticated user with limited privileges to interact with the plugin’s interface and manipulate the privilege assignment logic, after which they can assume full site administrator rights.

Generated by OpenCVE AI on March 26, 2026 at 20:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the RewardsWP plugin to a version newer than 1.0.4.
  • If an update is not yet available, remove the RewardsWP plugin entirely until a fix is released.
  • Verify that no user accounts on the WordPress site have privileges higher than intended and review user roles after remediation.
  • Monitor the vendor’s website and security advisories for further updates.

Generated by OpenCVE AI on March 26, 2026 at 20:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Andrew Munro / Affiliatewp
Andrew Munro / Affiliatewp rewardswp
Wordpress
Wordpress wordpress
Vendors & Products Andrew Munro / Affiliatewp
Andrew Munro / Affiliatewp rewardswp
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Incorrect Privilege Assignment vulnerability in Andrew Munro / AffiliateWP RewardsWP rewardswp allows Privilege Escalation.This issue affects RewardsWP: from n/a through <= 1.0.4.
Title WordPress RewardsWP plugin <= 1.0.4 - Privilege Escalation vulnerability
Weaknesses CWE-266
References

Subscriptions

Andrew Munro / Affiliatewp Rewardswp
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-26T18:46:23.699Z

Reserved: 2026-03-12T11:12:19.946Z

Link: CVE-2026-32520

cve-icon Vulnrichment

Updated: 2026-03-26T18:44:12.937Z

cve-icon NVD

Status : Deferred

Published: 2026-03-25T17:17:04.773

Modified: 2026-04-24T16:35:20.070

Link: CVE-2026-32520

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:30:45Z

Weaknesses