CVE-2026-8157 | The Vitepos WordPress plugin before 3.4.2 does not properly… | CVSS 8.8 HIGH

Description

The Vitepos WordPress plugin before 3.4.2 does not properly restrict the roles that can be assigned when creating new users via one of its REST API endpoints, allowing authenticated users with a custom Vitepos WordPress plugin before 3.4.2 role to escalate privileges to administrator.

Metadata

CVE ID: CVE-2026-8157
State: PUBLISHED
Assigner: WPScan
Reserved: 2026-05-08 09:14 UTC
Published: 2026-06-22 06:00 UTC
Last updated: 2026-06-22 12:48 UTC
Primary CWE: CWE-269
CWE-269 Improper Privilege Management
Vendor / Product: Unknown / Vitepos
Sources: cve.org · NVD

Severity & Metrics

8.8 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
Unknown	Vitepos	—	0 < 3.4.2

Weakness (CWE)

CWE	Source	Description
—	cna	CWE-269 Improper Privilege Management
CWE-269	adp	CWE-269 Improper Privilege Management

CVSS scores (1)

Score	Severity	Version	Source	Vector
8.8	HIGH	3.1	adp	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References (1)

https://wpscan.com/vulnerability/6680cc6a-9758-4040-bb39-7b9545041dc3/