CVE-2026-27541
Published: 05 March 2026
Summary
CVE-2026-27541 is a high-severity Incorrect Privilege Assignment (CWE-266) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 17.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2026-27541 is an Incorrect Privilege Assignment vulnerability (CWE-266) in the Wholesale Suite WordPress plugin (woocommerce-wholesale-prices) developed by Josh Kohlbach. The flaw enables privilege escalation and affects the plugin from unknown initial versions through 2.2.6. Published on 2026-03-05, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L).
A low-privileged user (PR:L) can exploit this vulnerability over the network (AV:N) with high attack complexity (AC:H) and without requiring user interaction (UI:N). Successful exploitation grants high confidentiality and integrity impacts (C:H/I:H) alongside low availability impact (A:L), allowing the attacker to escalate privileges within the affected WordPress environment.
The Patchstack advisory provides further details on this privilege escalation vulnerability in the Wholesale Suite plugin: https://patchstack.com/database/Wordpress/Plugin/woocommerce-wholesale-prices/vulnerability/wordpress-wholesale-suite-plugin-2-2-1-privilege-escalation-vulnerability?_s_id=cve.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9651
Vulnerability details
Incorrect Privilege Assignment vulnerability in Josh Kohlbach Wholesale Suite woocommerce-wholesale-prices allows Privilege Escalation.This issue affects Wholesale Suite: from n/a through <= 2.2.6.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is explicitly an incorrect privilege assignment (CWE-266) that enables authenticated privilege escalation from a low-privileged WordPress user, directly mapping to exploitation of a software vulnerability to obtain higher privileges.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly counters the CWE-266 incorrect privilege assignment by ensuring the Wholesale Suite plugin cannot grant a low-privileged user escalated rights beyond what is explicitly required.
Enforces access-control decisions so that the plugin's flawed privilege logic cannot be abused to obtain unauthorized C:H/I:H capabilities.
Requires explicit account and privilege provisioning processes that would limit the initial low-privilege account's ability to reach the vulnerable plugin code path.