Description
The 'The Ultimate WordPress Toolkit – WP Extended' plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.2.4. This is due to the `isDashboardOrProfileRequest()` method in the Menu Editor module using an insecure `strpos()` check against `$_SERVER['REQUEST_URI']` to determine if a request targets the dashboard or profile page. The `grantVirtualCaps()` method, which is hooked into the `user_has_cap` filter, grants elevated capabilities including `manage_options` when this check returns true. This makes it possible for authenticated attackers, with Subscriber-level access and above, to gain administrative capabilities by appending a crafted query parameter to any admin URL, allowing them to update arbitrary WordPress options and ultimately create new Administrator accounts.
Published: 2026-03-22
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

The Ultimate WordPress Toolkit – WP Extended plugin contains a flaw in the Menu Editor module that allows authenticated users with at least Subscriber level access to gain administrative privileges. The vulnerability stems from an insecure strpos check on the request URI, which, when bypassed by appending a crafted query parameter to any admin URL, triggers a filter that grants elevated capabilities such as manage_options. Once these capabilities are granted, the attacker can modify WordPress options and create new Administrator accounts, compromising the integrity and control of the site.

Affected Systems

All installations of The Ultimate WordPress Toolkit – WP Extended version 3.2.4 or earlier are affected. The issue resides only within this plugin and affects WordPress sites that utilize it.

Risk and Exploitability

With a CVSS score of 8.8, the vulnerability is considered high severity. Exploitation requires the attacker to be authenticated and possess Subscriber-level access, after which a crafted query string can be appended to an admin URL. Although EPSS data is unavailable and the vulnerability is not listed in CISA's KEV catalog, the ability to elevate privileges to full administrative control justifies urgent remediation.

Generated by OpenCVE AI on March 22, 2026 at 04:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade The Ultimate WordPress Toolkit – WP Extended to version 3.2.5 or later.
  • If a patch cannot be applied immediately, disable or remove the Menu Editor module to prevent exploitation.
  • Restrict user roles so that only trusted accounts have Subscriber access, or remove the Subscriber role entirely from the site.

Generated by OpenCVE AI on March 22, 2026 at 04:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpextended
Wpextended ultimate Wordpress Toolkit
Vendors & Products Wordpress
Wordpress wordpress
Wpextended
Wpextended ultimate Wordpress Toolkit

Sun, 22 Mar 2026 03:45:00 +0000

Type Values Removed Values Added
Description The 'The Ultimate WordPress Toolkit – WP Extended' plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.2.4. This is due to the `isDashboardOrProfileRequest()` method in the Menu Editor module using an insecure `strpos()` check against `$_SERVER['REQUEST_URI']` to determine if a request targets the dashboard or profile page. The `grantVirtualCaps()` method, which is hooked into the `user_has_cap` filter, grants elevated capabilities including `manage_options` when this check returns true. This makes it possible for authenticated attackers, with Subscriber-level access and above, to gain administrative capabilities by appending a crafted query parameter to any admin URL, allowing them to update arbitrary WordPress options and ultimately create new Administrator accounts.
Title The Ultimate WordPress Toolkit – WP Extended <= 3.2.4 - Authenticated (Subscriber+) Privilege Escalation via Menu Editor Module
Weaknesses CWE-269
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
Wpextended Ultimate Wordpress Toolkit
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:46:38.168Z

Reserved: 2026-03-17T07:35:15.205Z

Link: CVE-2026-4314

cve-icon Vulnrichment

Updated: 2026-03-23T16:25:30.578Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-22T04:16:26.180

Modified: 2026-03-23T14:31:37.267

Link: CVE-2026-4314

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:46:43Z

Weaknesses