Cyber Posture

CVE-2026-22337

Critical

Published: 27 April 2026

Published
27 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0005 17.0th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-22337 is a critical-severity Incorrect Privilege Assignment (CWE-266) vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 17.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly remediates the incorrect privilege assignment vulnerability by requiring timely patching of the Directorist Social Login plugin to version 2.1.4 or later.

AC-6 Least Privilege good match
prevent

Enforces least privilege principle to prevent or limit damage from privilege escalation exploits in the WordPress plugin.

AC-2 Account Management good match
prevent

Manages account creation, modification, and privilege assignment to avoid incorrect privilege grants exploitable by unauthenticated attackers.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Direct remote unauthenticated exploitation of public-facing WordPress plugin for privilege escalation via incorrect privilege assignment.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Incorrect Privilege Assignment vulnerability in Directorist Directorist Social Login allows Privilege Escalation.This issue affects Directorist Social Login: from n/a before 2.1.4.

Deeper analysisAI

CVE-2026-22337 is an Incorrect Privilege Assignment vulnerability (CWE-266) in the Directorist Social Login WordPress plugin that enables privilege escalation. The issue affects all versions of the plugin prior to 2.1.4, with the vulnerability published on 2026-04-27 and assigned a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for high-impact exploitation across confidentiality, integrity, and availability.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation allows privilege escalation, potentially granting attackers elevated access within the affected WordPress environment, leading to unauthorized control over site resources.

The Patchstack advisory at https://patchstack.com/database/wordpress/plugin/directorist-social-login/vulnerability/wordpress-directorist-social-login-plugin-2-1-1-privilege-escalation-vulnerability?_s_id=cve details the vulnerability and recommends updating to version 2.1.4 or later to mitigate the issue.

Details

CWE(s)
CWE-266

CVEs Like This One

CVE-2026-32520Shared CWE-266
CVE-2025-44655Shared CWE-266
CVE-2026-27051Shared CWE-266
CVE-2026-23800Shared CWE-266
CVE-2026-32519Shared CWE-266
CVE-2026-32488Shared CWE-266
CVE-2026-32916Shared CWE-266
CVE-2025-68869Shared CWE-266
CVE-2024-56000Shared CWE-266
CVE-2026-23550Shared CWE-266

References