{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-7106", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-04-26T14:20:17.528Z", "datePublished": "2026-04-27T02:26:24.266Z", "dateUpdated": "2026-04-29T13:44:33.298Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-27T02:26:24.266Z"}, "affected": [{"vendor": "jgrodgers", "product": "Highland Software Custom Role Manager", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Highland Software Custom Role Manager plugin for WordPress is vulnerable to Privilege Escalation in versions up to and including 1.0.0. This is due to insufficient authorization checks in the hscrm_save_user_roles() function, which is hooked to the personal_options_update action accessible by any authenticated user. This makes it possible for authenticated attackers, with Subscriber-level access or higher, to potentially modify user roles via the profile update form."}], "title": "Highland Software Custom Role Manager <= 1.0.0 - Authenticated (Subscriber+) Privilege Escalation", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/80a258a6-634c-4d7d-981f-bcbc0bb044f7?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/highland-software-custom-role-manager/trunk/includes/user-ui.php#L203"}, {"url": "https://plugins.trac.wordpress.org/browser/highland-software-custom-role-manager/tags/1.0.0/includes/user-ui.php#L203"}, {"url": "https://plugins.trac.wordpress.org/browser/highland-software-custom-role-manager/trunk/includes/user-ui.php#L223"}, {"url": "https://plugins.trac.wordpress.org/browser/highland-software-custom-role-manager/tags/1.0.0/includes/user-ui.php#L223"}, {"url": "https://plugins.trac.wordpress.org/browser/highland-software-custom-role-manager/trunk/includes/user-ui.php#L289"}, {"url": "https://plugins.trac.wordpress.org/browser/highland-software-custom-role-manager/tags/1.0.0/includes/user-ui.php#L289"}, {"url": "https://plugins.trac.wordpress.org/browser/highland-software-custom-role-manager/tags/1.0.1/includes/user-ui.php#L203"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-269 Improper Privilege Management", "cweId": "CWE-269", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Herc Bandiola"}], "timeline": [{"time": "2026-04-26T14:20:30.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-29T13:44:24.739726Z", "id": "CVE-2026-7106", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-29T13:44:33.298Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-7106", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-29T13:44:24.739726Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-29T13:44:29.645Z"}}], "cna": {"title": "Highland Software Custom Role Manager <= 1.0.0 - Authenticated (Subscriber+) Privilege Escalation", "credits": [{"lang": "en", "type": "finder", "value": "Herc Bandiola"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "jgrodgers", "product": "Highland Software Custom Role Manager", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-04-26T14:20:30.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/80a258a6-634c-4d7d-981f-bcbc0bb044f7?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/highland-software-custom-role-manager/trunk/includes/user-ui.php#L203"}, {"url": "https://plugins.trac.wordpress.org/browser/highland-software-custom-role-manager/tags/1.0.0/includes/user-ui.php#L203"}, {"url": "https://plugins.trac.wordpress.org/browser/highland-software-custom-role-manager/trunk/includes/user-ui.php#L223"}, {"url": "https://plugins.trac.wordpress.org/browser/highland-software-custom-role-manager/tags/1.0.0/includes/user-ui.php#L223"}, {"url": "https://plugins.trac.wordpress.org/browser/highland-software-custom-role-manager/trunk/includes/user-ui.php#L289"}, {"url": "https://plugins.trac.wordpress.org/browser/highland-software-custom-role-manager/tags/1.0.0/includes/user-ui.php#L289"}, {"url": "https://plugins.trac.wordpress.org/browser/highland-software-custom-role-manager/tags/1.0.1/includes/user-ui.php#L203"}], "descriptions": [{"lang": "en", "value": "The Highland Software Custom Role Manager plugin for WordPress is vulnerable to Privilege Escalation in versions up to and including 1.0.0. This is due to insufficient authorization checks in the hscrm_save_user_roles() function, which is hooked to the personal_options_update action accessible by any authenticated user. This makes it possible for authenticated attackers, with Subscriber-level access or higher, to potentially modify user roles via the profile update form."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-269", "description": "CWE-269 Improper Privilege Management"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-27T02:26:24.266Z"}}}, "cveMetadata": {"cveId": "CVE-2026-7106", "state": "PUBLISHED", "dateUpdated": "2026-04-29T13:44:33.298Z", "dateReserved": "2026-04-26T14:20:17.528Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-27T02:26:24.266Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Highland Software Custom Role Manager plugin for WordPress is vulnerable to Privilege Escalation in versions up to and including 1.0.0. This is due to insufficient authorization checks in the hscrm_save_user_roles() function, which is hooked to the personal_options_update action accessible by any authenticated user. This makes it possible for authenticated attackers, with Subscriber-level access or higher, to potentially modify user roles via the profile update form."}], "id": "CVE-2026-7106", "lastModified": "2026-04-27T18:38:48.527", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-27T03:16:00.297", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/highland-software-custom-role-manager/tags/1.0.0/includes/user-ui.php#L203"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/highland-software-custom-role-manager/tags/1.0.0/includes/user-ui.php#L223"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/highland-software-custom-role-manager/tags/1.0.0/includes/user-ui.php#L289"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/highland-software-custom-role-manager/tags/1.0.1/includes/user-ui.php#L203"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/highland-software-custom-role-manager/trunk/includes/user-ui.php#L203"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/highland-software-custom-role-manager/trunk/includes/user-ui.php#L223"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/highland-software-custom-role-manager/trunk/includes/user-ui.php#L289"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/80a258a6-634c-4d7d-981f-bcbc0bb044f7?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.0.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Highland Software Custom Role Manager", "source": "cna", "vendor": "jgrodgers"}, "product": "highland_software_custom_role_manager", "vendor": "jgrodgers"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-28T04:53:28.442469+00:00", "value": {"mitigation_remediation": ["Upgrade the Highland Software Custom Role Manager plugin to a version newer than 1.0.0, which removes the flawed authorization check in hscrm_save_user_roles().", "If an upgrade is not immediately possible, deactivate or uninstall the Highland Software Custom Role Manager plugin to eliminate the vulnerable functionality.", "As a temporary precaution, add a capability check on the personal_options_update hook so that only users with Administrator privileges can execute hscrm_save_user_roles(); this can be done by inserting a check for current_user_can('manage_options') before the role assignment logic."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Highland Software Custom Role Manager plugin, version 1.0.0 and earlier, published by jgrodgers on the WordPress plugin repository. No later versions were reported to contain the flaw.", "description_and_impact": "The Highland Software Custom Role Manager plugin for WordPress is vulnerable due to an insufficient authorization check in the hscrm_save_user_roles() function. This function is hooked to the personal_options_update action, which any authenticated user can trigger. An attacker with Subscriber or higher access can therefore modify user roles through the profile update form, potentially granting themselves higher privileges or altering other users' roles, leading to full site compromise.", "risk_and_exploitability": "The CVSS score of 8.8 classifies this issue as high severity, while the EPSS score of < 1% indicates a low likelihood of exploitation as of the latest data. The vulnerability is not listed in CISA KEV. Exploitation requires a victim to be logged in with at least Subscriber privileges and to submit a profile update request; no elevation to full administrator is required to trigger the underlying issue. Once the role update is performed, the attacker can acquire any privileges granted to the new role, which poses an ongoing threat to site integrity and confidentiality."}}}}, "created": "2026-04-27T19:51:46.673126+00:00", "updated": "2026-04-28T05:00:14.745976+00:00", "vendors": ["jgrodgers", "jgrodgers$PRODUCT$highland_software_custom_role_manager", "wordpress", "wordpress$PRODUCT$wordpress"]}