A critical privilege escalation vulnerability has been identified in the WP Freeio plugin for WordPress. This flaw allows an unauthenticated attacker to create a new user account with full administrative privileges during the standard registration process. Successful exploitation results in a complete compromise of the affected website, granting the attacker total control over its content, user data, and functionality.

The vulnerability exists within the process_register() function, which is responsible for handling new user registrations. The function fails to properly sanitize or restrict the user role that can be assigned upon account creation. An unauthenticated attacker can submit a crafted registration request containing a parameter that specifies a privileged role (e.g., 'administrator'). Because the plugin does not validate this input, it creates the new user with the attacker-specified elevated privileges, bypassing standard security controls.

With a critical severity rating and a CVSS score of 9.8, this vulnerability represents a severe and immediate threat to the business. An attacker gaining administrative control can inflict significant damage, including theft of sensitive customer or proprietary data, website defacement, hosting and distributing malware to visitors, and disrupting business operations. The compromise of a public-facing website can lead to severe reputational harm, loss of customer trust, and potential regulatory fines depending on the data exposed.

Immediate Action: Update the WP Freeio plugin for WordPress to the latest version provided by the vendor (a version later than 1.2.21). After applying the update, conduct a thorough audit of all user accounts, particularly those with administrative roles, to identify and remove any unauthorized accounts that may have been created.

Proactive Monitoring: Monitor web server and application logs for suspicious user registration attempts. Specifically, look for POST requests to registration pages that contain unexpected parameters related to user roles (e.g., role=administrator). Configure alerts for the creation of any new administrative-level accounts to enable rapid detection of potential compromises.

Compensating Controls: If patching is not immediately possible, consider disabling user registration through the WP Freeio plugin as a temporary mitigation. Alternatively, implement a Web Application Firewall (WAF) rule to inspect and block registration requests that attempt to illegitimately set a user role.

Public Exploit Available: false

Given the critical severity (CVSS 9.8) and the simplicity of exploitation, this vulnerability must be remediated with the highest priority. Although there is no evidence of active exploitation, the low complexity of the attack means that threat actors can easily develop and deploy exploits. Organizations are strongly urged to apply the security update immediately to prevent a complete website takeover.