Home

Description

The Vitepos WordPress plugin before 3.4.2 does not properly restrict the roles that can be assigned when creating new users via one of its REST API endpoints, allowing authenticated users with a custom Vitepos WordPress plugin before 3.4.2 role to escalate privileges to administrator.

PUBLISHED Reserved 2026-05-08 | Published 2026-06-22 | Updated 2026-06-22 | Assigner WPScan

Problem types

CWE-269 Improper Privilege Management

Product status

Default status
unaffected

Any version before 3.4.2
affected

Credits

Real_King_Engine (ISAL FRAMEWORK) finder

WPScan coordinator

References

wpscan.com/...rability/6680cc6a-9758-4040-bb39-7b9545041dc3/ exploit vdb-entry technical-description

cve.org (CVE-2026-8157)

nvd.nist.gov (CVE-2026-8157)

Download JSON