CVE-2026-7106
Privilege Escalation in Highland Software Role Manager Plugin
Publication date: 2026-04-27
Last updated on: 2026-04-27
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| highland_software | custom_role_manager | to 1.0.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Highland Software Custom Role Manager plugin for WordPress has a vulnerability that allows privilege escalation. This occurs because the function hscrm_save_user_roles(), which updates user roles, does not properly check authorization. Since this function is triggered by the personal_options_update action, any authenticated user, even those with only Subscriber-level access, can potentially modify user roles through the profile update form.
How can this vulnerability impact me? :
This vulnerability can have a significant impact because it allows an authenticated user with low-level access (such as a Subscriber) to escalate their privileges by changing user roles. This could lead to unauthorized access to administrative functions, data modification, or other high-level actions within the WordPress site, potentially compromising the entire siteβs security.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated attackers with Subscriber-level access or higher to escalate privileges by modifying user roles. This can lead to unauthorized access to sensitive data or administrative functions.
Such unauthorized privilege escalation can impact compliance with standards like GDPR and HIPAA, which require strict access controls and protection of personal and sensitive information.
If exploited, this vulnerability could result in data breaches or unauthorized data modifications, potentially violating regulatory requirements for data confidentiality, integrity, and access management.