Platform
wordpress
Component
toret-manager
Fixed in
1.2.8
CVE-2026-0912 is a privilege escalation vulnerability discovered in the Toret Manager WordPress plugin. This flaw allows authenticated attackers with Subscriber-level access or higher to modify arbitrary WordPress options, potentially leading to unauthorized administrative control. The vulnerability impacts versions 1.0.0 through 1.2.7, and a fix is available in version 1.3.0.
The core of this vulnerability lies in the absence of proper capability checks within the trmansaveoption and trmansaveoption_items functions. This oversight permits authenticated users, even those with limited privileges like Subscriber, to manipulate critical WordPress configuration settings. A malicious actor could exploit this to update the default user role for new registrations to 'administrator,' effectively granting themselves full administrative access upon account creation. This bypasses standard WordPress security measures and allows for complete control over the site, including data modification, installation of malicious code, and account compromise. The potential blast radius is significant, as a successful exploitation could compromise the entire WordPress instance and any associated data.
CVE-2026-0912 was publicly disclosed on 2026-02-19. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog at the time of writing. Given the relatively straightforward nature of the privilege escalation and the plugin's popularity, it's reasonable to assume that exploitation attempts could occur if the vulnerability remains unpatched.
Exploit Status
EPSS
0.05% (15% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-0912 is to immediately upgrade the Toret Manager plugin to version 1.3.0 or later. If upgrading is not feasible due to compatibility issues or breaking changes, consider temporarily restricting access to the plugin's settings pages to prevent unauthorized modifications. While not a complete solution, implementing a Web Application Firewall (WAF) rule to block requests to the trmansaveoption and trmansaveoption_items endpoints with insufficient user capabilities could offer a temporary layer of protection. Regularly review WordPress user roles and permissions to ensure they adhere to the principle of least privilege.
Update to version 1.3.0, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-0912 is a vulnerability in the Toret Manager WordPress plugin that allows authenticated users to escalate privileges by modifying WordPress options, potentially gaining administrative access.
You are affected if you are using Toret Manager versions 1.0.0 through 1.2.7. Upgrade to version 1.3.0 or later to resolve the issue.
Upgrade the Toret Manager plugin to version 1.3.0 or later. If upgrading is not possible, restrict access to the plugin's settings pages.
There are currently no known public exploits, but exploitation is possible given the vulnerability's nature.
Refer to the plugin developer's website or WordPress.org plugin page for updates and advisories related to CVE-2026-0912.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.