{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4314", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-17T07:35:15.205Z", "datePublished": "2026-03-22T03:26:34.034Z", "dateUpdated": "2026-04-08T16:46:38.168Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:46:38.168Z"}, "affected": [{"vendor": "wpextended", "product": "The Ultimate WordPress Toolkit \u2013 WP Extended", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.2.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The 'The Ultimate WordPress Toolkit \u2013 WP Extended' plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.2.4. This is due to the `isDashboardOrProfileRequest()` method in the Menu Editor module using an insecure `strpos()` check against `$_SERVER['REQUEST_URI']` to determine if a request targets the dashboard or profile page. The `grantVirtualCaps()` method, which is hooked into the `user_has_cap` filter, grants elevated capabilities including `manage_options` when this check returns true. This makes it possible for authenticated attackers, with Subscriber-level access and above, to gain administrative capabilities by appending a crafted query parameter to any admin URL, allowing them to update arbitrary WordPress options and ultimately create new Administrator accounts."}], "title": "The Ultimate WordPress Toolkit \u2013 WP Extended <= 3.2.4 - Authenticated (Subscriber+) Privilege Escalation via Menu Editor Module", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/38ea001c-6edb-4f36-a7ec-19be1d857b9e?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wpextended/tags/3.2.4/modules/menu-editor/Bootstrap.php#L135"}, {"url": "https://plugins.trac.wordpress.org/browser/wpextended/tags/3.2.4/modules/menu-editor/Bootstrap.php#L207"}, {"url": "https://plugins.trac.wordpress.org/changeset?old=3475963&old_path=wpextended%2Ftrunk%2Fmodules%2Fmenu-editor%2FBootstrap.php&new=&new_path=wpextended%2Ftrunk%2Fmodules%2Fmenu-editor%2FBootstrap.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-269 Improper Privilege Management", "cweId": "CWE-269", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Hung Nguyen"}], "timeline": [{"time": "2026-03-18T13:46:44.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-21T14:34:53.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T16:25:12.331849Z", "id": "CVE-2026-4314", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T16:25:36.016Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "The Ultimate WordPress Toolkit \u2013 WP Extended <= 3.2.4 - Authenticated (Subscriber+) Privilege Escalation via Menu Editor Module", "credits": [{"lang": "en", "type": "finder", "value": "Hung Nguyen"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "wpextended", "product": "The Ultimate WordPress Toolkit \u2013 WP Extended", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "3.2.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-18T13:46:44.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-03-21T14:34:53.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/38ea001c-6edb-4f36-a7ec-19be1d857b9e?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wpextended/tags/3.2.4/modules/menu-editor/Bootstrap.php#L135"}, {"url": "https://plugins.trac.wordpress.org/browser/wpextended/tags/3.2.4/modules/menu-editor/Bootstrap.php#L207"}, {"url": "https://plugins.trac.wordpress.org/changeset?old=3475963&old_path=wpextended%2Ftrunk%2Fmodules%2Fmenu-editor%2FBootstrap.php&new=&new_path=wpextended%2Ftrunk%2Fmodules%2Fmenu-editor%2FBootstrap.php"}], "descriptions": [{"lang": "en", "value": "The 'The Ultimate WordPress Toolkit \u2013 WP Extended' plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.2.4. This is due to the `isDashboardOrProfileRequest()` method in the Menu Editor module using an insecure `strpos()` check against `$_SERVER['REQUEST_URI']` to determine if a request targets the dashboard or profile page. The `grantVirtualCaps()` method, which is hooked into the `user_has_cap` filter, grants elevated capabilities including `manage_options` when this check returns true. This makes it possible for authenticated attackers, with Subscriber-level access and above, to gain administrative capabilities by appending a crafted query parameter to any admin URL, allowing them to update arbitrary WordPress options and ultimately create new Administrator accounts."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-269", "description": "CWE-269 Improper Privilege Management"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-22T03:26:34.034Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4314", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-23T16:25:12.331849Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-03-23T16:25:30.578Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-4314", "state": "PUBLISHED", "dateUpdated": "2026-03-22T03:26:34.034Z", "dateReserved": "2026-03-17T07:35:15.205Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-22T03:26:34.034Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The 'The Ultimate WordPress Toolkit \u2013 WP Extended' plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.2.4. This is due to the `isDashboardOrProfileRequest()` method in the Menu Editor module using an insecure `strpos()` check against `$_SERVER['REQUEST_URI']` to determine if a request targets the dashboard or profile page. The `grantVirtualCaps()` method, which is hooked into the `user_has_cap` filter, grants elevated capabilities including `manage_options` when this check returns true. This makes it possible for authenticated attackers, with Subscriber-level access and above, to gain administrative capabilities by appending a crafted query parameter to any admin URL, allowing them to update arbitrary WordPress options and ultimately create new Administrator accounts."}, {"lang": "es", "value": "El plugin 'The Ultimate WordPress Toolkit \u2013 WP Extended' para WordPress es vulnerable a escalada de privilegios en todas las versiones hasta la 3.2.4, inclusive. Esto se debe a que el m\u00e9todo `isDashboardOrProfileRequest()` en el m\u00f3dulo Editor de Men\u00fa utiliza una comprobaci\u00f3n `strpos()` insegura contra `$_SERVER['REQUEST_URI']` para determinar si una solicitud apunta al panel de control o a la p\u00e1gina de perfil. El m\u00e9todo `grantVirtualCaps()`, que est\u00e1 enganchado al filtro `user_has_cap`, otorga capacidades elevadas, incluyendo `manage_options`, cuando esta comprobaci\u00f3n devuelve verdadero. Esto hace posible que atacantes autenticados, con acceso de nivel Suscriptor y superior, obtengan capacidades administrativas al a\u00f1adir un par\u00e1metro de consulta manipulado a cualquier URL de administraci\u00f3n, permiti\u00e9ndoles actualizar opciones arbitrarias de WordPress y, en \u00faltima instancia, crear nuevas cuentas de Administrador."}], "id": "CVE-2026-4314", "lastModified": "2026-04-24T16:32:53.997", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-22T04:16:26.180", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wpextended/tags/3.2.4/modules/menu-editor/Bootstrap.php#L135"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wpextended/tags/3.2.4/modules/menu-editor/Bootstrap.php#L207"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?old=3475963&old_path=wpextended%2Ftrunk%2Fmodules%2Fmenu-editor%2FBootstrap.php&new=&new_path=wpextended%2Ftrunk%2Fmodules%2Fmenu-editor%2FBootstrap.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/38ea001c-6edb-4f36-a7ec-19be1d857b9e?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.2.4]"}}], "enrichment": {"confidence": 80.0, "confidence_source": "matching", "scores": [{"score": 80.0, "source": "matching"}]}, "original": {"product": "The Ultimate WordPress Toolkit \u2013 WP Extended", "source": "cna", "vendor": "wpextended"}, "product": "ultimate_wordpress_toolkit", "vendor": "wpextended"}], "analysis": {"en": {"generated_at": "2026-03-22T04:50:17.169313+00:00", "value": {"mitigation_remediation": ["Upgrade The Ultimate WordPress Toolkit \u2013 WP Extended to version 3.2.5 or later.", "If a patch cannot be applied immediately, disable or remove the Menu Editor module to prevent exploitation.", "Restrict user roles so that only trusted accounts have Subscriber access, or remove the Subscriber role entirely from the site."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "All installations of The Ultimate WordPress Toolkit \u2013 WP Extended version 3.2.4 or earlier are affected. The issue resides only within this plugin and affects WordPress sites that utilize it.", "description_and_impact": "The Ultimate WordPress Toolkit \u2013 WP Extended plugin contains a flaw in the Menu Editor module that allows authenticated users with at least Subscriber level access to gain administrative privileges. The vulnerability stems from an insecure strpos check on the request URI, which, when bypassed by appending a crafted query parameter to any admin URL, triggers a filter that grants elevated capabilities such as manage_options. Once these capabilities are granted, the attacker can modify WordPress options and create new Administrator accounts, compromising the integrity and control of the site.", "risk_and_exploitability": "With a CVSS score of 8.8, the vulnerability is considered high severity. Exploitation requires the attacker to be authenticated and possess Subscriber-level access, after which a crafted query string can be appended to an admin URL. Although EPSS data is unavailable and the vulnerability is not listed in CISA's KEV catalog, the ability to elevate privileges to full administrative control justifies urgent remediation."}}}}, "created": "2026-03-23T09:46:43.585349+00:00", "updated": "2026-03-25T14:46:43.828461+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpextended", "wpextended$PRODUCT$ultimate_wordpress_toolkit"]}