VYPR
← All advisories
Unrated severityNVD Advisory· Published Apr 3, 2023· Updated Feb 14, 2025

User Role by BestWebSoft < 1.6.7 - Privilege Escalation via CSRF

CVE-2023-0820

Description

The User Role by BestWebSoft WordPress plugin before 1.6.7 does not protect against CSRF in requests to update role capabilities, leading to arbitrary privilege escalation of any role.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2

Patches

Vulnerability mechanics

Root cause

"Missing CSRF protection on requests to update role capabilities allows an attacker to forge requests that modify any role's privileges."

Attack vector

An attacker crafts a malicious page or link that, when visited by an authenticated WordPress administrator, silently submits a forged request to the plugin's role-capability update endpoint. Because the plugin does not include a CSRF token or other anti-forgery mechanism [CWE-352], the browser automatically attaches the victim's session cookies, causing the server to process the attacker's desired capability changes. This enables the attacker to escalate privileges of any role (e.g., promoting a low-privileged user to administrator) without the victim's knowledge or consent [ref_id=1].

Affected code

The advisory does not specify the exact file or function at fault. The vulnerable code is the handler that processes role capability update requests in the User Role by BestWebSoft plugin prior to version 1.6.7 [ref_id=1].

What the fix does

The advisory states the vulnerability is fixed in version 1.6.7 [ref_id=1], but no patch diff is provided in the bundle. The fix likely introduces CSRF nonce verification on the role-capability update request handler, ensuring that only requests originating from the legitimate plugin admin page (where the nonce is embedded) are accepted. Without the patch source, the exact implementation cannot be confirmed.

Preconditions

  • authA WordPress administrator must be logged in and visit a page controlled by the attacker (or a page hosting a crafted CSRF payload).
  • inputThe attacker must know or guess the target role name and desired capabilities to include in the forged request.
  • configThe vulnerable plugin version must be prior to 1.6.7.

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.