Cyber Posture

CVE-2026-32488

High

Published: 25 March 2026

Published
25 March 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0006 18.4th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-32488 is a high-severity Incorrect Privilege Assignment (CWE-266) vulnerability. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 18.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Requires timely identification, reporting, and correction of software flaws like CVE-2026-32488, directly preventing exploitation of the privilege escalation vulnerability in the User Registration plugin.

AC-6 Least Privilege good match
prevent

Enforces the principle of least privilege, mitigating incorrect privilege assignment by restricting users and processes to only necessary access rights despite the plugin flaw.

AC-2 Account Management good match
prevent

Mandates proper management of account types, roles, and privileges, preventing incorrect assignments that enable unauthenticated privilege escalation in the vulnerable plugin.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Unauthenticated network-accessible privilege escalation in a public-facing WordPress plugin directly enables T1190 (Exploit Public-Facing Application) for initial access and T1068 (Exploitation for Privilege Escalation) to obtain higher privileges.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Incorrect Privilege Assignment vulnerability in wpeverest User Registration user-registration allows Privilege Escalation.This issue affects User Registration: from n/a through <= 4.4.9.

Deeper analysisAI

CVE-2026-32488 is an Incorrect Privilege Assignment vulnerability (CWE-266) in the User Registration plugin by wpeverest for WordPress. The flaw allows privilege escalation and affects the plugin from unknown initial versions through 4.4.9.

The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). Unauthenticated attackers can exploit it over the network without user interaction, though it requires high attack complexity. Successful exploitation enables privilege escalation, resulting in high impacts to confidentiality, integrity, and availability.

Patchstack provides details on this privilege escalation issue in User Registration version 4.4.9 via its advisory at https://patchstack.com/database/Wordpress/Plugin/user-registration/vulnerability/wordpress-user-registration-plugin-4-4-9-privilege-escalation-vulnerability?_s_id=cve, which security practitioners should consult for mitigation and patching guidance.

Details

CWE(s)
CWE-266

CVEs Like This One

CVE-2026-32520Shared CWE-266
CVE-2025-44655Shared CWE-266
CVE-2026-27051Shared CWE-266
CVE-2026-23800Shared CWE-266
CVE-2026-32519Shared CWE-266
CVE-2026-32916Shared CWE-266
CVE-2025-68869Shared CWE-266
CVE-2024-56000Shared CWE-266
CVE-2026-23550Shared CWE-266
CVE-2026-24968Shared CWE-266

References