Description
The Welcome Software Publishing plugin for WordPress is vulnerable to Arbitrary Options Update in all versions up to and including 0.0.31. This is due to a missing capability check in the nc_setOption() function, which is exposed via the nc.setOption XML-RPC method. The function authenticates the user via $wp_xmlrpc_server->login() (verifying credentials are valid) but does not perform any authorization check such as current_user_can('manage_options'). This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary WordPress options via XML-RPC requests. This can be leveraged to change the default_role option to 'administrator' and then register a new administrator account, achieving full privilege escalation and site takeover.
Published: 2026-06-24
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability occurs in the Welcome Software Publishing plugin for WordPress versions up to 0.0.31. An XML‑RPC method, nc.setOption, is exposed that authenticates the user but skips a capability check. An attacker who can log in with any role as low as Subscriber can send a crafted XML‑RPC request to update any WordPress option. By changing the default_role option to administrator and then creating a new administrator account, the attacker gains full control of the site.

Affected Systems

Vendor newscred:Welcome Software Publishing. Product: Welcome Software Publishing plugin for WordPress. Vulnerable versions: all releases up to and including 0.0.31. No newer versions are listed as affected.

Risk and Exploitability

The CVSS v3.1 base score is 8.8, indicating high severity. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. Successful exploitation requires a valid user account with Subscriber or higher privileges and the ability to send XML‑RPC requests, which is typically permitted by default in WordPress installations. Once the attacker modifies the default_role setting, creating an administrator account can be achieved without further authentication, leading to full site takeover. While the vulnerability can only be exploited by authenticated users, no additional network restriction is necessary for exploitation; an attacker can target the site from anywhere that can reach its XML‑RPC endpoint.

Generated by OpenCVE AI on June 24, 2026 at 09:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a fixed release (e.g., 0.0.32 or later) that removes the capability check from nc.setOption.
  • If upgrade is not feasible, immediately disable XML‑RPC or block the nc.setOption method, for example by using the WordPress XML‑RPC Disable plugin or adding a firewall rule that filters POST requests to xmlrpc.php containing the nc.setOption method name.
  • Restrict XML‑RPC access to trusted IP addresses or authenticated users only; apply network firewall rules or wp-config.php settings to limit XML‑RPC usage.

Generated by OpenCVE AI on June 24, 2026 at 09:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
Description The Welcome Software Publishing plugin for WordPress is vulnerable to Arbitrary Options Update in all versions up to and including 0.0.31. This is due to a missing capability check in the nc_setOption() function, which is exposed via the nc.setOption XML-RPC method. The function authenticates the user via $wp_xmlrpc_server->login() (verifying credentials are valid) but does not perform any authorization check such as current_user_can('manage_options'). This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary WordPress options via XML-RPC requests. This can be leveraged to change the default_role option to 'administrator' and then register a new administrator account, achieving full privilege escalation and site takeover.
Title Welcome Software Publishing <= 0.0.31 - Authenticated (Subscriber+) Arbitrary Options Update to Privilege Escalation via 'nc.setOption' XML-RPC Method
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-24T05:33:24.530Z

Reserved: 2026-03-16T18:58:52.144Z

Link: CVE-2026-4297

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T09:15:06Z

Weaknesses