The Vitepos WordPress plugin allows an authenticated user who already has a custom role to create new users via a REST API endpoint without properly limiting the roles that can be assigned. By assigning the administrator role to a newly created user, the attacker can elevate their privileges to full site administration. This flaw is an instance of improper access control (CWE‑284) and results in the loss of integrity and authority over site settings and data.

The vulnerability affects installations of the Vitepos WordPress plugin with versions prior to 3.4.2. Any WordPress site that has the plugin active and contains custom roles is potentially impacted. Site owners should check that the plugin version is at least 3.4.2 before deploying.

The CVSS score is not provided, but the vulnerability demonstrates high risk because it permits privilege escalation directly from any authenticated user who can exploit the REST endpoint. The EPSS score is not available, and the issue is not listed in the CISA KEV catalog. Attackers can reach the REST API over the web, so remote exploitation is possible if the site exposes the endpoint. The attack requires authentication but does not need higher privileges, meaning attackers who already have a user account can immediately use the flaw.