CVE-2026-0844

High

Published: 28 January 2026

Published

28 January 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0006 19.0th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-0844 is a high-severity Improper Access Control (CWE-284) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 19.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations to restrict low-privilege users like subscribers from modifying wp_capabilities via the profile_save_field function during profile updates.

SI-2 Flaw Remediation good match

prevent

Requires timely remediation by patching the Simple User Registration plugin to version 6.8 or later, directly fixing the privilege escalation vulnerability.

AC-6 Least Privilege partial match

prevent

Limits initial user privileges to the minimum necessary, reducing the attack surface and potential impact of successful privilege escalation to administrator.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Direct privilege escalation via exploitation of improper access control in authenticated profile update function.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

The Simple User Registration plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 6.7 due to insufficient restriction on the 'profile_save_field' function. This makes it possible for authenticated attackers, with minimal permissions such as a…

subscriber, to modify their user role by supplying the 'wp_capabilities' parameter during a profile update.

Deeper analysisAI

CVE-2026-0844 is a privilege escalation vulnerability in the Simple User Registration plugin for WordPress, affecting versions up to and including 6.7. The issue arises from insufficient restrictions on the 'profile_save_field' function, which allows authenticated attackers to modify their user role by supplying the 'wp_capabilities' parameter during a profile update. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-284 (Improper Access Control). The vulnerability was published on 2026-01-28.

Attackers with minimal authenticated permissions, such as a subscriber role, can exploit this vulnerability remotely over the network with low complexity and no user interaction. By submitting a crafted profile update, they can escalate their privileges, such as changing their role to administrator, thereby gaining high-level access to the WordPress site.

Advisories and code references, including those from Wordfence and the plugin's Trac repository, highlight the vulnerable code in class.profile.php (line 401) and class.user.php (line 305) in version 6.7, with changes visible in version 6.8's class.profile.php. Security practitioners should update to version 6.8 or later to mitigate the issue, and consult the referenced Wordfence threat intelligence for further details.