CVE-2026-7106 - Vulnerability Details

- Highland Software Custom Role Manager <= 1.0.0 - Authenticated (Subscriber+) Privilege Escalation

Description

The Highland Software Custom Role Manager plugin for WordPress is vulnerable to Privilege Escalation in versions up to and including 1.0.0. This is due to insufficient authorization checks in the hscrm_save_user_roles() function, which is hooked to the personal_options_update action accessible by any authenticated user. This makes it possible for authenticated attackers, with Subscriber-level access or higher, to potentially modify user roles via the profile update form.

Published: 2026-04-27

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Highland Software Custom Role Manager plugin for WordPress is vulnerable due to an insufficient authorization check in the hscrm_save_user_roles() function. This function is hooked to the personal_options_update action, which any authenticated user can trigger. An attacker with Subscriber or higher access can therefore modify user roles through the profile update form, potentially granting themselves higher privileges or altering other users' roles, leading to full site compromise.

Affected Systems

The vulnerability affects the Highland Software Custom Role Manager plugin, version 1.0.0 and earlier, published by jgrodgers on the WordPress plugin repository. No later versions were reported to contain the flaw.

Risk and Exploitability

The CVSS score of 8.8 classifies this issue as high severity, while the EPSS score of < 1% indicates a low likelihood of exploitation as of the latest data. The vulnerability is not listed in CISA KEV. Exploitation requires a victim to be logged in with at least Subscriber privileges and to submit a profile update request; no elevation to full administrator is required to trigger the underlying issue. Once the role update is performed, the attacker can acquire any privileges granted to the new role, which poses an ongoing threat to site integrity and confidentiality.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

jgrodgers

Highland Software Custom Role Manager

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.0.0

No data.

Vendor Product Confidence Versions

Jgrodgers

Highland Software Custom Role Manager

100%

Version	Status	Scheme	Platform
`[0,1.0.0]`	affected	semver	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Highland Software Custom Role Manager plugin to a version newer than 1.0.0, which removes the flawed authorization check in hscrm_save_user_roles().
If an upgrade is not immediately possible, deactivate or uninstall the Highland Software Custom Role Manager plugin to eliminate the vulnerable functionality.
As a temporary precaution, add a capability check on the personal_options_update hook so that only users with Administrator privileges can execute hscrm_save_user_roles(); this can be done by inserting a check for current_user_can('manage_options') before the role assignment logic.

Generated by OpenCVE AI on April 28, 2026 at 04:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00054.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://plugins.trac.wordpress.org/browser/highland-software-custom-role-manager/tags/1.0.0/includes/user-ui.php#L203
https://plugins.trac.wordpress.org/browser/highland-software-custom-role-manager/tags/1.0.0/includes/user-ui.php#L223
https://plugins.trac.wordpress.org/browser/highland-software-custom-role-manager/tags/1.0.0/includes/user-ui.php#L289
https://plugins.trac.wordpress.org/browser/highland-software-custom-role-manager/tags/1.0.1/includes/user-ui.php#L203
https://plugins.trac.wordpress.org/browser/highland-software-custom-role-manager/trunk/includes/user-ui.php#L203
https://plugins.trac.wordpress.org/browser/highland-software-custom-role-manager/trunk/includes/user-ui.php#L223
https://plugins.trac.wordpress.org/browser/highland-software-custom-role-manager/trunk/includes/user-ui.php#L289
https://www.wordfence.com/threat-intel/vulnerabilities/id/80a258a6-634c-4d7d-981f-bcbc0bb044f7?source=cve

History

Wed, 29 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 27 Apr 2026 20:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Jgrodgers Jgrodgers highland Software Custom Role Manager Wordpress Wordpress wordpress
Vendors & Products		Jgrodgers Jgrodgers highland Software Custom Role Manager Wordpress Wordpress wordpress

Mon, 27 Apr 2026 03:00:00 +0000

Type	Values Removed	Values Added
Description		The Highland Software Custom Role Manager plugin for WordPress is vulnerable to Privilege Escalation in versions up to and including 1.0.0. This is due to insufficient authorization checks in the hscrm_save_user_roles() function, which is hooked to the personal_options_update action accessible by any authenticated user. This makes it possible for authenticated attackers, with Subscriber-level access or higher, to potentially modify user roles via the profile update form.
Title		Highland Software Custom Role Manager <= 1.0.0 - Authenticated (Subscriber+) Privilege Escalation
Weaknesses		CWE-269
References		https://plugins.trac.wordpress.org/browser/highland-software-custom-role-manager/tags/1.0.0/includes/user-ui.php#L203 https://plugins.trac.wordpress.org/browser/highland-software-custom-role-manager/tags/1.0.0/includes/user-ui.php#L223 https://plugins.trac.wordpress.org/browser/highland-software-custom-role-manager/tags/1.0.0/includes/user-ui.php#L289 https://plugins.trac.wordpress.org/browser/highland-software-custom-role-manager/tags/1.0.1/includes/user-ui.php#L203 https://plugins.trac.wordpress.org/browser/highland-software-custom-role-manager/trunk/includes/user-ui.php#L203 https://plugins.trac.wordpress.org/browser/highland-software-custom-role-manager/trunk/includes/user-ui.php#L223 https://plugins.trac.wordpress.org/browser/highland-software-custom-role-manager/trunk/includes/user-ui.php#L289 https://www.wordfence.com/threat-intel/vulnerabilities/id/80a258a6-634c-4d7d-981f-bcbc0bb044f7?source=cve
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Jgrodgers Highland Software Custom Role Manager

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-04-27T02:26:24.266Z

Updated: 2026-04-29T13:44:33.298Z

Reserved: 2026-04-26T14:20:17.528Z

Link: CVE-2026-7106

Vulnrichment

Updated: 2026-04-29T13:44:29.645Z

NVD

Status : Deferred

Published: 2026-04-27T03:16:00.297

Modified: 2026-04-27T18:38:48.527

Link: CVE-2026-7106

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-28T05:00:14Z

Weaknesses

CWE-269

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object