{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0844", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-10T14:13:05.549Z", "datePublished": "2026-01-28T11:23:39.860Z", "dateUpdated": "2026-04-14T15:08:02.908Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:18:23.885Z"}, "affected": [{"vendor": "nmedia", "product": "Simple User Registration", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "6.7", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Simple User Registration plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 6.7 due to insufficient restriction on the 'profile_save_field' function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to modify their user role by supplying the 'wp_capabilities' parameter during a profile update."}], "title": "Simple User Registration <= 6.7 - Authenticated (Subscriber+) Privilege Escalation via profile_save_field", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bb0e77e1-7e9f-4f7e-8953-c86ab0e5ae7a?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-registration/tags/6.7/inc/classes/class.profile.php#L401"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-registration/tags/6.7/inc/classes/class.user.php#L305"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-registration/tags/6.8/inc/classes/class.profile.php#L401"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-284 Improper Access Control", "cweId": "CWE-284", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "JohSka"}], "timeline": [{"time": "2026-01-27T21:50:50.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-28T14:33:25.446860Z", "id": "CVE-2026-0844", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T15:08:02.908Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0844", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-28T14:33:25.446860Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-28T14:33:39.962Z"}}], "cna": {"title": "Simple User Registration <= 6.7 - Authenticated (Subscriber+) Privilege Escalation via profile_save_field", "credits": [{"lang": "en", "type": "finder", "value": "JohSka"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "nmedia", "product": "Simple User Registration", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "6.7"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-27T21:50:50.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bb0e77e1-7e9f-4f7e-8953-c86ab0e5ae7a?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-registration/tags/6.7/inc/classes/class.profile.php#L401"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-registration/tags/6.7/inc/classes/class.user.php#L305"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-registration/tags/6.8/inc/classes/class.profile.php#L401"}], "descriptions": [{"lang": "en", "value": "The Simple User Registration plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 6.7 due to insufficient restriction on the 'profile_save_field' function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to modify their user role by supplying the 'wp_capabilities' parameter during a profile update."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284 Improper Access Control"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:18:23.885Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0844", "state": "PUBLISHED", "dateUpdated": "2026-04-14T15:08:02.908Z", "dateReserved": "2026-01-10T14:13:05.549Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-28T11:23:39.860Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Simple User Registration plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 6.7 due to insufficient restriction on the 'profile_save_field' function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to modify their user role by supplying the 'wp_capabilities' parameter during a profile update."}, {"lang": "es", "value": "El plugin Simple User Registration para WordPress es vulnerable a escalada de privilegios en versiones hasta la 6.7, inclusive, debido a una restricci\u00f3n insuficiente en la funci\u00f3n 'profile_save_field'. Esto permite a atacantes autenticados, con permisos m\u00ednimos como un suscriptor, modificar su rol de usuario al proporcionar el par\u00e1metro 'wp_capabilities' durante una actualizaci\u00f3n de perfil."}], "id": "CVE-2026-0844", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-28T12:15:52.437", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-registration/tags/6.7/inc/classes/class.profile.php#L401"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-registration/tags/6.7/inc/classes/class.user.php#L305"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-registration/tags/6.8/inc/classes/class.profile.php#L401"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bb0e77e1-7e9f-4f7e-8953-c86ab0e5ae7a?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-15T15:16:03.473612+00:00", "value": {"mitigation_remediation": ["Upgrade the Simple User Registration plugin to version\u202f6.8 or newer, where the issue is fixed.", "If an upgrade cannot be performed immediately, remove or neutralize the profile_save_field hook that processes wp_capabilities, or block the wp_capabilities parameter at the form level to prevent non\u2011admin role changes.", "Restrict subscriber accounts to read\u2011only or single\u2011role capabilities using role\u2011management plugins or user\u2011role filters, ensuring that only administrators can modify role assignments."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "WordPress installations that employ the nmedia Simple User Registration plugin, version 6.7 or earlier. Sites using versions up to and including 6.7 are susceptible, while the bundled 6.8 release removes the vulnerable code path.", "description_and_impact": "The Simple User Registration plugin for WordPress contains an insufficient restriction in the profile_save_field routine. This flaw allows any authenticated user with a minimal role, such as a subscriber, to alter their role by supplying the wp_capabilities parameter during a profile update. As a result, the attacker can elevate permissions, gain access to restricted content or administrative functions, and potentially modify site data or settings. The weakness stems from an authorization bypass, categorized as CWE\u2011284.", "risk_and_exploitability": "The vulnerability has a CVSS score of 8.8, indicating high severity, yet the EPSS score is below 1\u202f%, suggesting a low probability of widespread exploitation as of the latest data. Because the flaw requires only an authenticated user role, the attack surface is broadened, though it is not listed in the CISA KEV catalog. The attack path is straightforward: an attacker logs in, submits a profile update containing wp_capabilities, and the plugin grants elevated privileges without checking the user\u2019s current role. Organizations should treat this as a high\u2011risk change due to the potential for local privilege escalation within the WordPress environment."}}}}, "created": "2026-01-29T09:18:23.328249+00:00", "updated": "2026-04-15T18:00:15.530031+00:00", "vendors": ["n-media", "n-media$PRODUCT$simple_user_registration", "wordpress", "wordpress$PRODUCT$wordpress"]}