Cyber Resilience

CVE-2026-0844

High

Published: 28 January 2026

Published
28 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0029 20.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-0844 is a high-severity Improper Access Control (CWE-284) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 20.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-0844 is a privilege escalation vulnerability in the Simple User Registration plugin for WordPress, affecting versions up to and including 6.7. The issue arises from insufficient restrictions on the 'profile_save_field' function, which allows authenticated attackers to modify their user role by supplying the 'wp_capabilities' parameter during a profile update. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-284 (Improper Access Control). The vulnerability was published on 2026-01-28.

Attackers with minimal authenticated permissions, such as a subscriber role, can exploit this vulnerability remotely over the network with low complexity and no user interaction. By submitting a crafted profile update, they can escalate their privileges, such as changing their role to administrator, thereby gaining high-level access to the WordPress site.

Advisories and code references, including those from Wordfence and the plugin's Trac repository, highlight the vulnerable code in class.profile.php (line 401) and class.user.php (line 305) in version 6.7, with changes visible in version 6.8's class.profile.php. Security practitioners should update to version 6.8 or later to mitigate the issue, and consult the referenced Wordfence threat intelligence for further details.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The Simple User Registration plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 6.7 due to insufficient restriction on the 'profile_save_field' function. This makes it possible for authenticated attackers, with minimal permissions such as a…

more

subscriber, to modify their user role by supplying the 'wp_capabilities' parameter during a profile update.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Direct privilege escalation via exploitation of improper access control in authenticated profile update function.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-20628Shared CWE-284
CVE-2025-48619Shared CWE-284
CVE-2025-21405Shared CWE-284
CVE-2026-24303Shared CWE-284
CVE-2026-24290Shared CWE-284
CVE-2026-41086Shared CWE-284
CVE-2026-48904Shared CWE-284
CVE-2026-35243Shared CWE-284
CVE-2025-24076Shared CWE-284
CVE-2024-38310Shared CWE-284

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations to restrict low-privilege users like subscribers from modifying wp_capabilities via the profile_save_field function during profile updates.

prevent

Requires timely remediation by patching the Simple User Registration plugin to version 6.8 or later, directly fixing the privilege escalation vulnerability.

prevent

Limits initial user privileges to the minimum necessary, reducing the attack surface and potential impact of successful privilege escalation to administrator.

References