{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/highland-software/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-7106"}],"_cs_exploited":false,"_cs_products":["Custom Role Manager plugin"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","wordpress","cve"],"_cs_type":"advisory","_cs_vendors":["Highland Software"],"content_html":"\u003cp\u003eThe Highland Software Custom Role Manager plugin, versions up to and including 1.0.0, is vulnerable to privilege escalation. The vulnerability, identified as CVE-2026-7106, stems from a lack of sufficient authorization checks within the \u003ccode\u003ehscrm_save_user_roles()\u003c/code\u003e function. This function is accessible to any authenticated user via the \u003ccode\u003epersonal_options_update\u003c/code\u003e action. This allows an attacker with minimal privileges (subscriber level or higher) to potentially elevate their own privileges or those of other users by manipulating user roles through the profile update form. Successful exploitation grants attackers the ability to perform actions reserved for higher-level administrators, potentially leading to complete site compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker obtains valid credentials for a WordPress user account with at least subscriber-level privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the WordPress site using their credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses their user profile page, typically located at \u003ccode\u003e/wp-admin/profile.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003epersonal_options_update\u003c/code\u003e action, modifying the \u003ccode\u003ewp_capabilities\u003c/code\u003e user meta field. The request is designed to bypass the insufficient authorization checks in the \u003ccode\u003ehscrm_save_user_roles()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe crafted request is submitted through the profile update form. This likely involves intercepting and modifying the POST request sent when the user clicks the \u0026ldquo;Update Profile\u0026rdquo; button.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ehscrm_save_user_roles()\u003c/code\u003e function is triggered, and due to the missing authorization checks, the attacker\u0026rsquo;s modified user roles are saved to the database.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s account now possesses elevated privileges, such as administrator or editor roles, depending on the attacker\u0026rsquo;s goal and the payload in the malicious request.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7106 allows attackers with minimal privileges to gain administrative control over the WordPress site. This can lead to a variety of malicious activities, including defacement, malware injection, data theft, and denial of service. Given the widespread use of WordPress, this vulnerability poses a significant risk to websites using the affected plugin. A successful attack can result in complete compromise of the affected website.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Highland Software Custom Role Manager plugin to a patched version that addresses CVE-2026-7106.\u003c/li\u003e\n\u003cli\u003eMonitor WordPress access logs for suspicious POST requests to \u003ccode\u003e/wp-admin/profile.php\u003c/code\u003e targeting the \u003ccode\u003epersonal_options_update\u003c/code\u003e action to detect exploitation attempts.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious WordPress Role Updates\u003c/code\u003e to identify attempts to modify user roles from subscriber-level accounts.\u003c/li\u003e\n\u003cli\u003eReview user roles and permissions regularly to identify and remediate any unauthorized privilege escalations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-wordpress-privesc/","summary":"Highland Software's Custom Role Manager plugin for WordPress, versions 1.0.0 and earlier, contains a privilege escalation vulnerability (CVE-2026-7106) that allows authenticated users with subscriber-level access to modify user roles due to insufficient authorization checks in the hscrm_save_user_roles() function.","title":"WordPress Custom Role Manager Plugin Privilege Escalation via CVE-2026-7106","url":"https://feed.craftedsignal.io/briefs/2024-01-wordpress-privesc/"}],"language":"en","title":"CraftedSignal Threat Feed — Highland Software","version":"https://jsonfeed.org/version/1.1"}