Esta página aún no ha sido traducida a tu idioma. Mostrando contenido en inglés mientras trabajamos en ello.
💡 Keep dependencies up to date — most exploits target known, patchable vulnerabilities.
CVE-2026-34901: Privilege Escalation in iControlWP
Plataforma
wordpress
Componente
worpit-admin-dashboard-plugin
Corregido en
5.5.4
CVE-2026-34901 is a critical Privilege Escalation vulnerability affecting the iControlWP plugin for WordPress. An unauthenticated attacker can exploit this flaw to elevate their privileges to that of a WordPress administrator, granting them full control over the site. This vulnerability impacts versions of iControlWP up to and including 5.5.3, and a patch is available in version 5.5.4.
Detecta esta CVE en tu proyecto
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Impacto y Escenarios de Ataquetraduciendo…
Successful exploitation of CVE-2026-34901 allows an attacker to bypass authentication and directly assume administrator privileges on a WordPress site. This grants them complete control, including the ability to install malicious plugins, modify themes, steal sensitive data (user credentials, customer information, financial data), deface the website, and potentially pivot to other systems on the network. The blast radius extends to all data and functionality accessible through the WordPress installation. Given the widespread use of WordPress and the plugin's management capabilities, this vulnerability poses a significant risk to a large number of websites.
Contexto de Explotacióntraduciendo…
CVE-2026-34901 has been published relatively recently (2026-04-07), and its EPSS score is likely to be assessed as medium to high due to the critical CVSS score and the ease of exploitation (unauthenticated). Public proof-of-concept (POC) code is likely to emerge, increasing the risk of widespread exploitation. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting iControlWP.
Inteligencia de Amenazas
Estado del Exploit
Vector CVSS
¿Qué significan estas métricas?
- Attack Vector
- Red — explotable remotamente por internet. Sin acceso físico ni local. Mayor superficie de ataque.
- Attack Complexity
- Baja — sin condiciones especiales. El atacante puede explotar de forma confiable sin configuraciones raras.
- Privileges Required
- Ninguno — sin autenticación. No se necesitan credenciales para explotar.
- User Interaction
- Ninguna — el ataque es automático y silencioso. La víctima no hace nada.
- Scope
- Sin cambio — el impacto se limita al componente vulnerable.
- Confidentiality
- Alto — pérdida total de confidencialidad. El atacante puede leer todos los datos.
- Integrity
- Alto — el atacante puede escribir, modificar o eliminar cualquier dato.
- Availability
- Alto — caída completa o agotamiento de recursos. Denegación de servicio total.
Software Afectado
Clasificación de Debilidad (CWE)
Cronología
- Publicada
- Modificada
Mitigación y Workaroundstraduciendo…
The primary mitigation for CVE-2026-34901 is to immediately upgrade the iControlWP plugin to version 5.5.4 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the iControlWP plugin to reduce the attack surface. While a direct WAF rule is unlikely to be effective against privilege escalation, implementing strict access controls and regularly auditing user permissions can help limit the impact of a successful breach. After upgrading, verify the fix by attempting to access administrative functions without proper authentication; successful access indicates the vulnerability persists.
Cómo corregirlo
Actualizar a la versión 5.5.4, o una versión parcheada más reciente
Preguntas frecuentestraduciendo…
What is CVE-2026-34901 — Privilege Escalation in iControlWP?
CVE-2026-34901 is a critical vulnerability in the iControlWP WordPress plugin allowing unauthenticated attackers to gain administrator privileges. This means an attacker can take complete control of the WordPress site without needing a username or password.
Am I affected by CVE-2026-34901 in iControlWP?
Yes, if you are using iControlWP version 5.5.3 or earlier, you are vulnerable. Check your plugin version using wp plugin list and upgrade immediately.
How do I fix CVE-2026-34901 in iControlWP?
Upgrade the iControlWP plugin to version 5.5.4 or later. If immediate upgrade is not possible, temporarily disable the plugin to reduce your risk.
Is CVE-2026-34901 being actively exploited?
While no active exploitation has been publicly confirmed, the vulnerability's critical severity and ease of exploitation suggest it is likely to be targeted. Monitor security advisories and threat intelligence.
Where can I find the official iControlWP advisory for CVE-2026-34901?
Refer to the iControlWP website and WordPress plugin repository for the latest security advisory and update information: [https://www.icontrolwp.com/](https://www.icontrolwp.com/)
¿Tu proyecto está afectado?
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Detecta esta CVE en tu proyecto
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Escanea tu proyecto WordPress ahora — sin cuenta
Sube cualquier manifiesto (composer.lock, package-lock.json, lista de plugins WordPress…) o pega tu lista de componentes. Recibís un reporte de vulnerabilidades al instante. Subir un archivo es solo el primer paso: con una cuenta tenés monitoreo continuo, alertas en tu canal, multi-proyecto y reportes white-label.
Arrastra y suelta tu archivo de dependencias
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...