Cyber Resilience

CVE-2026-4314

High

Published: 22 March 2026

Published
22 March 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0029 20.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-4314 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 20.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-4314 is a privilege escalation vulnerability affecting all versions up to and including 3.2.4 of the 'The Ultimate WordPress Toolkit – WP Extended' plugin for WordPress. The flaw originates in the Menu Editor module's `isDashboardOrProfileRequest()` method, which performs an insecure `strpos()` check against `$_SERVER['REQUEST_URI']` to identify dashboard or profile page requests. This insecure check enables the `grantVirtualCaps()` method—hooked into the `user_has_cap` filter—to improperly grant elevated capabilities, including `manage_options`, when the condition evaluates to true.

Authenticated attackers with Subscriber-level access or higher can exploit the vulnerability by appending a crafted query parameter to any admin URL. Successful exploitation grants administrative capabilities, allowing attackers to update arbitrary WordPress options and create new Administrator accounts. The issue carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-269 (Improper Privilege Management).

Advisories reference vulnerable code at lines 135 and 207 in `modules/menu-editor/Bootstrap.php` of tag 3.2.4. A patch addressing the issue appears in the plugin's trunk via the referenced changeset. Further details, including threat intelligence, are available on the Wordfence vulnerability page.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The 'The Ultimate WordPress Toolkit – WP Extended' plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.2.4. This is due to the `isDashboardOrProfileRequest()` method in the Menu Editor module using an insecure `strpos()`…

more

check against `$_SERVER['REQUEST_URI']` to determine if a request targets the dashboard or profile page. The `grantVirtualCaps()` method, which is hooked into the `user_has_cap` filter, grants elevated capabilities including `manage_options` when this check returns true. This makes it possible for authenticated attackers, with Subscriber-level access and above, to gain administrative capabilities by appending a crafted query parameter to any admin URL, allowing them to update arbitrary WordPress options and ultimately create new Administrator accounts.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The vulnerability is a software flaw in a WordPress plugin that allows authenticated low-privileged users to improperly obtain administrative capabilities (including manage_options) via an insecure strpos check on REQUEST_URI and abuse of the user_has_cap filter. This directly enables exploitation of the vulnerability to achieve privilege escalation, matching T1068.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-23896Shared CWE-269
CVE-2025-27639Shared CWE-269
CVE-2025-8899Shared CWE-269
CVE-2025-26705Shared CWE-269
CVE-2015-10139Shared CWE-269
CVE-2026-8972Shared CWE-269
CVE-2025-0893Shared CWE-269
CVE-2026-6769Shared CWE-269
CVE-2025-2858Shared CWE-269
CVE-2025-48613Shared CWE-269

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces least privilege to prevent subscriber-level users from gaining elevated capabilities like manage_options via the plugin's flawed REQUEST_URI check.

prevent

Mandates enforcement of approved authorizations, directly countering the improper capability grants by the grantVirtualCaps method hooked into user_has_cap.

prevent

Requires identification, reporting, and correction of flaws like the insecure strpos check in the Menu Editor module's isDashboardOrProfileRequest method.

References