CVE-2026-4297
HighCVSS 8.8Exploitation Probability (EPSS)
Low risk37th percentile - higher than 37% of all known CVEs
Summary
The Welcome Software Publishing plugin for WordPress is vulnerable to Arbitrary Options Update in all versions up to and including 0.0.31. The missing capability check in the nc_setOption() function allows authenticated attackers with Subscriber-level access and above to update arbitrary WordPress options via XML-RPC requests.
Risk Assessment
Attackers can exploit this vulnerability to change the default_role option to 'administrator', leading to privilege escalation and site takeover.
Recommendation
It is recommended to update the plugin to the latest version to mitigate this vulnerability and to implement additional security measures for the XML-RPC interface.
Original NVD description (English source)
The Welcome Software Publishing plugin for WordPress is vulnerable to Arbitrary Options Update in all versions up to and including 0.0.31. This is due to a missing capability check in the nc_setOption() function, which is exposed via the nc.setOption XML-RPC method. The function authenticates the user via $wp_xmlrpc_server->login() (verifying credentials are valid) but does not perform any authorization check such as current_user_can('manage_options'). This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary WordPress options via XML-RPC requests. This can be leveraged to change the default_role option to 'administrator' and then register a new administrator account, achieving full privilege escalation and site takeover.

