CVE-2025-11620
BaseFortify
Publication date: 2025-11-18
Last updated on: 2025-11-18
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | multiple_roles_per_user | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Multiple Roles per User plugin for WordPress, where a missing capability check in certain functions allows authenticated users with the 'edit_users' capability to modify any user's roles. This means they can promote users to Administrator or demote Administrators to lower-privileged roles without proper authorization.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized privilege escalation or reduction within a WordPress site. Attackers with some user editing rights can gain full administrative control or reduce the privileges of existing administrators, potentially compromising the site's security, integrity, and availability.