{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12158", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-24T13:21:01.016Z", "datePublished": "2025-11-04T04:27:22.881Z", "dateUpdated": "2026-04-08T17:28:01.795Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:28:01.795Z"}, "affected": [{"vendor": "tanvirahmed1984", "product": "Simple User Capabilities", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Simple User Capabilities plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the suc_submit_capabilities() function in all versions up to, and including, 1.0. This makes it possible for unauthenticated attackers to elevate the role of any user account to administrator."}], "title": "Simple User Capabilities <= 1.0 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/dd75b8ec-1961-4a7a-92e6-1517e638974b?source=cve"}, {"url": "https://plugins.svn.wordpress.org/simple-user-capabilities/tags/1.0/user_access.php"}, {"url": "https://wordpress.org/plugins/simple-user-capabilities/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}], "credits": [{"lang": "en", "type": "finder", "value": "D01EXPLOIT OFFICIAL"}], "timeline": [{"time": "2025-11-03T15:33:31.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-04T15:01:50.883477Z", "id": "CVE-2025-12158", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-04T15:01:57.048Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12158", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-11-04T15:01:50.883477Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-04T15:01:53.557Z"}}], "cna": {"title": "Simple User Capabilities <= 1.0 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation", "credits": [{"lang": "en", "type": "finder", "value": "D01EXPLOIT OFFICIAL"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "tanvirahmed1984", "product": "Simple User Capabilities", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-03T15:33:31.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/dd75b8ec-1961-4a7a-92e6-1517e638974b?source=cve"}, {"url": "https://plugins.svn.wordpress.org/simple-user-capabilities/tags/1.0/user_access.php"}, {"url": "https://wordpress.org/plugins/simple-user-capabilities/"}], "descriptions": [{"lang": "en", "value": "The Simple User Capabilities plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the suc_submit_capabilities() function in all versions up to, and including, 1.0. This makes it possible for unauthenticated attackers to elevate the role of any user account to administrator."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-11-04T04:27:22.881Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12158", "state": "PUBLISHED", "dateUpdated": "2025-11-04T15:01:57.048Z", "dateReserved": "2025-10-24T13:21:01.016Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-04T04:27:22.881Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Simple User Capabilities plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the suc_submit_capabilities() function in all versions up to, and including, 1.0. This makes it possible for unauthenticated attackers to elevate the role of any user account to administrator."}], "id": "CVE-2025-12158", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-04T05:16:10.083", "references": [{"source": "security@wordfence.com", "url": "https://plugins.svn.wordpress.org/simple-user-capabilities/tags/1.0/user_access.php"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/simple-user-capabilities/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/dd75b8ec-1961-4a7a-92e6-1517e638974b?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T01:54:41.736942+00:00", "value": {"mitigation_remediation": ["Upgrade to a released version of Simple User Capabilities that includes proper capability checks, or if none is available, remove the plugin from the site immediately.", "Disable or restrict the plugin\u2019s capability\u2011management features until a patch is applied, ensuring that only existing administrators can modify roles.", "Implement monitoring of user role changes in WordPress logs to detect unauthorized elevation attempts and respond promptly."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Privilege Escalation to Administrator"}, "threat_synthesis": {"affected_systems": "WordPress sites running the tanvirahmed1984 Simple User Capabilities plugin, versions up to and including 1.0 are affected.", "description_and_impact": "The Simple User Capabilities plugin for WordPress is affected by a missing capability check in the suc_submit_capabilities() function. This flaw allows an attacker who has not logged in to elevate any existing user account\u2019s role to Administrator. The vulnerability is a classic missing authorization flaw (CWE\u2011862), which can lead to full control of the site, content theft, and further exploitation of any other installed plugin or theme weaknesses.", "risk_and_exploitability": "The CVSS score of 9.8 indicates a critical severity, but the EPSS score of less than 1% suggests that widespread exploitation is currently unlikely. The vulnerability is not listed in CISA\u2019s KEV catalog. An attacker can achieve privilege escalation through an unauthenticated HTTP request that triggers the vulnerable function, resulting in the ability to modify the role of any user to administrator."}}}}, "created": "2025-11-04T16:33:20.987950+00:00", "updated": "2026-04-21T02:00:12.303582+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}