WP Extended plugin versions up to and including 3.2.4
Summary
This flaw allows authenticated attackers with Subscriber-level access to escalate privileges to administrative access on WordPress sites. The vulnerability exists due to an insecure strpos() check that incorrectly grants elevated capabilities to malicious actors. Attackers can leverage this flaw to create new administrator accounts and take over full site control.
Remediation
Update the WP Extended plugin to the latest patched version from the official WordPress plugin repository immediately. If no patch is available temporarily, disable the plugin to eliminate exposure. Restrict administrative user access to only trusted personnel to reduce risk.
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.