CVE-2025-22736
Published: 15 January 2025
Summary
CVE-2025-22736 is a high-severity Incorrect Privilege Assignment (CWE-266) vulnerability. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 47.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2025-22736 is an Incorrect Privilege Assignment vulnerability (CWE-266) in the User Management WordPress plugin developed by Saad Iqbal. The flaw enables privilege escalation and affects the plugin from its initial release through version 1.2.
With a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), the vulnerability can be exploited over the network by an authenticated user possessing low privileges, requiring low complexity and no user interaction. Successful exploitation grants the attacker high-impact access to confidentiality, integrity, and availability, allowing escalation to higher privileges such as administrator rights on the affected WordPress site.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/user-management/vulnerability/wordpress-user-management-plugin-1-2-privilege-escalation-vulnerability?_s_id=cve details this privilege escalation issue in User Management plugin version 1.2. Security practitioners should review the advisory for mitigation guidance and patch information.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-2954
Vulnerability details
Incorrect Privilege Assignment vulnerability in Saad Iqbal User Management user-management allows Privilege Escalation.This issue affects User Management: from n/a through <= 1.2.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes an incorrect privilege assignment vulnerability in a WordPress plugin that directly enables an authenticated low-privileged user to escalate to administrator rights, mapping to Exploitation for Privilege Escalation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces the principle of least privilege to prevent low-privileged users from escalating to administrator rights via the plugin's incorrect privilege assignment.
Manages user account privileges to ensure correct assignment and avoid escalation flaws like those in the User Management plugin.
Requires enforcement of approved access authorizations, countering the plugin's failure to properly restrict privilege escalations.