CVE Catalog

CVE-2026-8157

HighCVSS 8.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.24%

14th percentile - higher than 14% of all known CVEs

Summary

The Vitepos WordPress plugin before 3.4.2 does not properly restrict the roles that can be assigned when creating new users via one of its REST API endpoints, allowing authenticated users with a custom role to escalate privileges to administrator.

Risk Assessment

The organization may be exposed to unauthorized access to administrator accounts, potentially leading to serious security breaches and data loss.

Recommendation

It is recommended to update the Vitepos plugin to version 3.4.2 or later to mitigate this security vulnerability.

Original NVD description (English source)

The Vitepos WordPress plugin before 3.4.2 does not properly restrict the roles that can be assigned when creating new users via one of its REST API endpoints, allowing authenticated users with a custom Vitepos WordPress plugin before 3.4.2 role to escalate privileges to administrator.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS