Plataforma
wordpress
Componente
wpextended
Corrigido em
3.2.5
CVE-2026-4314 is a privilege escalation vulnerability discovered in the 'The Ultimate WordPress Toolkit – WP Extended' plugin for WordPress. This flaw allows authenticated attackers to elevate their privileges to 'manage_options', effectively granting them administrative access to the WordPress site. The vulnerability impacts versions 0.0.0 through 3.2.4, and a fix is available in version 3.2.5.
An attacker exploiting CVE-2026-4314 can gain full administrative control over a WordPress site. This includes the ability to modify themes, install and uninstall plugins, change user roles, access sensitive data, and potentially deface the website. The insecure strpos() check in the isDashboardOrProfileRequest() method allows attackers to bypass intended access controls. The grantVirtualCaps() function then grants the attacker the manage_options capability, essentially giving them root access. This vulnerability is particularly concerning given the widespread use of WordPress and the potential for significant data compromise and disruption.
CVE-2026-4314 was published on 2026-03-22. Severity is rated HIGH with a CVSS score of 8.8. Public proof-of-concept (POC) code is currently unknown, but the vulnerability's straightforward nature suggests it is likely to become publicly available. No active exploitation campaigns have been reported at this time, but given the ease of exploitation, monitoring is crucial. This vulnerability is not listed on KEV or EPSS.
Status do Exploit
EPSS
0.04% (percentil 14%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2026-4314 is to immediately upgrade the 'The Ultimate WordPress Toolkit – WP Extended' plugin to version 3.2.5 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider temporarily restricting access to the dashboard and profile pages. While not a complete solution, this can limit the attacker's ability to exploit the vulnerability. Review WordPress user roles and permissions to ensure least privilege is enforced. After upgrading, confirm the fix by attempting to access administrative functions with a non-administrator user account; access should be denied.
Atualize para a versão 3.2.5, ou uma versão corrigida mais recente
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-4314 is a HIGH severity vulnerability in the WP Extended WordPress plugin allowing authenticated attackers to gain 'manage_options' privileges, effectively granting administrative access. It affects versions 0.0.0–3.2.4 due to an insecure check in the Menu Editor module.
You are affected if your WordPress site uses the WP Extended plugin and is running version 3.2.4 or earlier. Check your plugin version using wp plugin list and upgrade immediately if vulnerable.
Upgrade the WP Extended plugin to version 3.2.5 or later. This resolves the insecure check and prevents privilege escalation. If immediate upgrade is not possible, restrict access to dashboard and profile pages as a temporary measure.
No active exploitation campaigns have been reported yet, but the vulnerability's simplicity suggests it may become a target. Continuous monitoring and prompt patching are essential.
Refer to the official WP Extended plugin website or the WordPress plugin repository for the latest security advisory and update information regarding CVE-2026-4314.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.