CVE-2026-4314
Published: 22 March 2026
Summary
CVE-2026-4314 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 20.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2026-4314 is a privilege escalation vulnerability affecting all versions up to and including 3.2.4 of the 'The Ultimate WordPress Toolkit – WP Extended' plugin for WordPress. The flaw originates in the Menu Editor module's `isDashboardOrProfileRequest()` method, which performs an insecure `strpos()` check against `$_SERVER['REQUEST_URI']` to identify dashboard or profile page requests. This insecure check enables the `grantVirtualCaps()` method—hooked into the `user_has_cap` filter—to improperly grant elevated capabilities, including `manage_options`, when the condition evaluates to true.
Authenticated attackers with Subscriber-level access or higher can exploit the vulnerability by appending a crafted query parameter to any admin URL. Successful exploitation grants administrative capabilities, allowing attackers to update arbitrary WordPress options and create new Administrator accounts. The issue carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-269 (Improper Privilege Management).
Advisories reference vulnerable code at lines 135 and 207 in `modules/menu-editor/Bootstrap.php` of tag 3.2.4. A patch addressing the issue appears in the plugin's trunk via the referenced changeset. Further details, including threat intelligence, are available on the Wordfence vulnerability page.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-14275
Vulnerability details
The 'The Ultimate WordPress Toolkit – WP Extended' plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.2.4. This is due to the `isDashboardOrProfileRequest()` method in the Menu Editor module using an insecure `strpos()`…
more
check against `$_SERVER['REQUEST_URI']` to determine if a request targets the dashboard or profile page. The `grantVirtualCaps()` method, which is hooked into the `user_has_cap` filter, grants elevated capabilities including `manage_options` when this check returns true. This makes it possible for authenticated attackers, with Subscriber-level access and above, to gain administrative capabilities by appending a crafted query parameter to any admin URL, allowing them to update arbitrary WordPress options and ultimately create new Administrator accounts.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a software flaw in a WordPress plugin that allows authenticated low-privileged users to improperly obtain administrative capabilities (including manage_options) via an insecure strpos check on REQUEST_URI and abuse of the user_has_cap filter. This directly enables exploitation of the vulnerability to achieve privilege escalation, matching T1068.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces least privilege to prevent subscriber-level users from gaining elevated capabilities like manage_options via the plugin's flawed REQUEST_URI check.
Mandates enforcement of approved authorizations, directly countering the improper capability grants by the grantVirtualCaps method hooked into user_has_cap.
Requires identification, reporting, and correction of flaws like the insecure strpos check in the Menu Editor module's isDashboardOrProfileRequest method.