Impact
An Incorrect Privilege Assignment flaw in the LCweb PrivateContent WordPress plugin allows attackers to elevate privileges from a lower-level user role to a higher-level role or administrator. The vulnerability resides in the way the plugin assigns user capabilities, enabling exploitation to gain control over site content and potentially other site functions. This flaw directly compromises the integrity and confidentiality of the WordPress installation and can lead to full administrative takeover.
Affected Systems
Any WordPress site running the LCweb PrivateContent plugin version 9.9.2 or earlier is affected. The vulnerability lists the affected range as all releases up to and including 9.9.2; specific earlier versions are not enumerated.
Risk and Exploitability
The CVSS score of 9.8 indicates critical severity, reflecting a high impact if the flaw is exploited. EPSS data is not available, but the lack of a KEV listing does not reduce the inherent risk. The likely attack vector for this vulnerability is web-based, as an unprivileged user can interact with the plugin through normal site access. An attacker with any user role could attempt to exploit the misassignment to obtain elevated privileges, unless mitigated by limiting available user roles or disabling the plugin altogether.
OpenCVE Enrichment