Mentoring <= 1.2.8 - Unauthenticated Privilege Escalation in mentoring_process_registration
Details
CVSS v3
9.8
NVD published
2026-05-05 03:15:58
EPSS
<0.1% probability · 25.6th percentile — 2026-05-12
Affected versions
WordPress Mentoring plugin versions up to and including 1.2.8
Summary
This vulnerability allows unauthenticated remote attackers to gain administrator-level privileges on affected WordPress sites. The plugin fails to properly restrict the roles that new users can select during the registration process. Attackers can directly create fully privileged admin accounts to take over the entire site.
Remediation
Update the Mentoring plugin for WordPress to the latest patched version immediately. If a patched version is not available, disable and remove the plugin from your WordPress installation. Add web application firewall rules to block access to the vulnerable registration endpoint until remediation is complete.
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.