CVE-2026-8157
HighCVSS 8.8Exploitation Probability (EPSS)
Low risk14th percentile - higher than 14% of all known CVEs
Summary
The Vitepos WordPress plugin before 3.4.2 does not properly restrict the roles that can be assigned when creating new users via one of its REST API endpoints, allowing authenticated users with a custom role to escalate privileges to administrator.
Risk Assessment
The organization may be exposed to unauthorized access to administrator accounts, potentially leading to serious security breaches and data loss.
Recommendation
It is recommended to update the Vitepos plugin to version 3.4.2 or later to mitigate this security vulnerability.
Original NVD description (English source)
The Vitepos WordPress plugin before 3.4.2 does not properly restrict the roles that can be assigned when creating new users via one of its REST API endpoints, allowing authenticated users with a custom Vitepos WordPress plugin before 3.4.2 role to escalate privileges to administrator.

