CVE-2025-62883

Vulnerability

Overview The Premmerce User Roles plugin for WordPress versions up to and including 1.0.13 contains a missing authorization vulnerability. The plugin fails to properly check access control security levels when processing certain functions, allowing exploitation of incorrectly configured access controls. This is classified as a Broken Access Control issue [1].

Exploitation

Method An attacker can exploit this vulnerability without needing any prior authentication. The plugin's missing nonce token or capability checks means unprivileged users could execute higher-privileged actions, such as modifying user role capabilities. The attack vector is network-based with low complexity, requiring no user interaction. The CVSS base score is 4.3 (Medium) [1].

Impact

Successful exploitation enables an attacker to alter the permissions assigned to user roles, potentially granting unauthorized access to sensitive administrative functions. This could lead to privilege escalation, where lower-privileged users gain capabilities they should not have, compromising the site's security [1].

Mitigation

The vendor has released version 1.0.14 which resolves the vulnerability by implementing proper access control checks. Users are strongly advised to update immediately. For those unable to update, contacting a hosting provider or web developer is recommended. Patchstack users may enable auto-updates for vulnerable plugins through Patchstack [1].