Cyber Resilience

CVE-2025-22736

High

Published: 15 January 2025

Published
15 January 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0029 52.5th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-22736 is a high-severity Incorrect Privilege Assignment (CWE-266) vulnerability. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 47.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2025-22736 is an Incorrect Privilege Assignment vulnerability (CWE-266) in the User Management WordPress plugin developed by Saad Iqbal. The flaw enables privilege escalation and affects the plugin from its initial release through version 1.2.

With a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), the vulnerability can be exploited over the network by an authenticated user possessing low privileges, requiring low complexity and no user interaction. Successful exploitation grants the attacker high-impact access to confidentiality, integrity, and availability, allowing escalation to higher privileges such as administrator rights on the affected WordPress site.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/user-management/vulnerability/wordpress-user-management-plugin-1-2-privilege-escalation-vulnerability?_s_id=cve details this privilege escalation issue in User Management plugin version 1.2. Security practitioners should review the advisory for mitigation guidance and patch information.

EU & UK References

Vulnerability details

Incorrect Privilege Assignment vulnerability in Saad Iqbal User Management user-management allows Privilege Escalation.This issue affects User Management: from n/a through <= 1.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The CVE describes an incorrect privilege assignment vulnerability in a WordPress plugin that directly enables an authenticated low-privileged user to escalate to administrator rights, mapping to Exploitation for Privilege Escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-42368Shared CWE-266
CVE-2025-69293Shared CWE-266
CVE-2026-42680Shared CWE-266
CVE-2025-69378Shared CWE-266
CVE-2026-27102Shared CWE-266
CVE-2024-40591Shared CWE-266
CVE-2026-48879Shared CWE-266
CVE-2025-33179Shared CWE-266
CVE-2026-25414Shared CWE-266
CVE-2026-24963Shared CWE-266

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces the principle of least privilege to prevent low-privileged users from escalating to administrator rights via the plugin's incorrect privilege assignment.

prevent

Manages user account privileges to ensure correct assignment and avoid escalation flaws like those in the User Management plugin.

prevent

Requires enforcement of approved access authorizations, countering the plugin's failure to properly restrict privilege escalations.

References