Cyber Resilience

CVE-2026-32488

High

Published: 25 March 2026

Published
25 March 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0034 26.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-32488 is a high-severity Incorrect Privilege Assignment (CWE-266) vulnerability. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 26.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-32488 is an Incorrect Privilege Assignment vulnerability (CWE-266) in the User Registration plugin by wpeverest for WordPress. The flaw allows privilege escalation and affects the plugin from unknown initial versions through 4.4.9.

The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). Unauthenticated attackers can exploit it over the network without user interaction, though it requires high attack complexity. Successful exploitation enables privilege escalation, resulting in high impacts to confidentiality, integrity, and availability.

Patchstack provides details on this privilege escalation issue in User Registration version 4.4.9 via its advisory at https://patchstack.com/database/Wordpress/Plugin/user-registration/vulnerability/wordpress-user-registration-plugin-4-4-9-privilege-escalation-vulnerability?_s_id=cve, which security practitioners should consult for mitigation and patching guidance.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Incorrect Privilege Assignment vulnerability in wpeverest User Registration user-registration allows Privilege Escalation.This issue affects User Registration: from n/a through <= 4.4.9.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Unauthenticated network-accessible privilege escalation in a public-facing WordPress plugin directly enables T1190 (Exploit Public-Facing Application) for initial access and T1068 (Exploitation for Privilege Escalation) to obtain higher privileges.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-27983Shared CWE-266
CVE-2024-13421Shared CWE-266
CVE-2026-24971Shared CWE-266
CVE-2024-51888Shared CWE-266
CVE-2026-24968Shared CWE-266
CVE-2025-67953Shared CWE-266
CVE-2026-24373Shared CWE-266
CVE-2025-68027Shared CWE-266
CVE-2025-49388Shared CWE-266
CVE-2026-23550Shared CWE-266

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and correction of software flaws like CVE-2026-32488, directly preventing exploitation of the privilege escalation vulnerability in the User Registration plugin.

prevent

Enforces the principle of least privilege, mitigating incorrect privilege assignment by restricting users and processes to only necessary access rights despite the plugin flaw.

prevent

Mandates proper management of account types, roles, and privileges, preventing incorrect assignments that enable unauthenticated privilege escalation in the vulnerable plugin.

References