Description
Unauthenticated Privilege Escalation in iControlWP <= 5.5.3 versions.
Published: 2026-06-15
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The iControlWP plugin for WordPress contains an unauthenticated privilege escalation flaw in versions 5.5.3 and earlier that allows an attacker without prior credentials to gain elevated administrative privileges. This flaw is classified as CWE-266, indicating a weakness in authentication controls and privilege management. An attacker who can exploit it can gain unrestricted control over the WordPress site, potentially accessing sensitive data, modifying site content, or installing additional malicious plugins.

Affected Systems

The vulnerability affects the iControlWP plugin developed by Paul, used as a WordPress add‑on, and only the versions up to and including 5.5.3 are impacted.

Risk and Exploitability

With a CVSS score of 9.8 this issue is deemed critical, but the EPSS score of less than 1% suggests a low likelihood of widespread exploitation at present. The vulnerability is not listed in CISA KEV. The exploit requires no authentication and can be performed from any location that can reach the WordPress site; thus the likely attack vector is remote network access to the site’s admin or plugin endpoints. Given the high severity, a successful exploitation would result in global compromise of the affected site.

Generated by OpenCVE AI on June 16, 2026 at 22:36 UTC.

Remediation

Vendor Solution

Update the WordPress iControlWP Plugin to the latest available version (at least 5.5.4).

OpenCVE Recommended Actions

  • Upgrade the iControlWP plugin to version 5.5.4 or newer.
  • If upgrading is not possible, disable or remove the iControlWP plugin entirely to eliminate the risk.
  • Implement stricter access controls and firewall rules to limit exposure to the WordPress administrative interfaces.

Generated by OpenCVE AI on June 16, 2026 at 22:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Unauthenticated Privilege Escalation in iControlWP <= 5.5.3 versions.
Title WordPress iControlWP plugin <= 5.5.3 - Privilege Escalation vulnerability
Weaknesses CWE-266
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-16T15:54:08.187Z

Reserved: 2026-03-31T09:57:35.161Z

Link: CVE-2026-34901

cve-icon Vulnrichment

Updated: 2026-06-16T15:53:51.217Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:16:42.227

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-34901

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T22:45:03Z

Weaknesses
  • CWE-266

    Incorrect Privilege Assignment