CVE-2025-49981

The User Roles and Capabilities WordPress plugin (versions up to 1.2.6) contains a missing authorization vulnerability. The plugin fails to properly verify user capabilities or nonce tokens in certain functions, resulting in broken access control. This flaw allows an attacker to bypass intended security restrictions.

An attacker who is already authenticated with minimal privileges (e.g., a subscriber or contributor) can exploit this vulnerability. No special network position is required; the attacker only needs to send crafted requests to the WordPress installation. The missing authorization check means the plugin does not enforce role-based restrictions for specific actions.

Successful exploitation enables the attacker to perform actions reserved for higher-privileged users, such as creating new administrator accounts, modifying user roles and capabilities, or altering plugin settings. This can lead to full site compromise if the attacker escalates privileges to administrator.

The vulnerability has been addressed in version 1.2.7 of the plugin. Users are strongly advised to update immediately. If updating is not possible, site administrators should review user accounts and consider restricting access to the plugin's functionality until a patch can be applied [1].