A critical privilege escalation vulnerability has been identified in the Simple User Capabilities plugin for WordPress. This flaw allows any authenticated user, regardless of their permission level, to grant themselves administrative privileges. Successful exploitation could result in a complete compromise of the affected WordPress site, allowing an attacker to steal data, deface the website, or install malware.

The vulnerability exists due to a missing capability check within the suc_submit_capabilities() function. This function is responsible for updating user roles and permissions. An attacker with any level of authenticated access, such as a basic subscriber, can send a specially crafted request directly to this function to modify their own capabilities, granting themselves full administrative rights over the WordPress site.

This vulnerability is rated as critical severity with a CVSS score of 9.8. A successful exploit leads to a complete compromise of the web application and underlying server. The business impact includes, but is not limited to, theft of sensitive customer or company data, website defacement causing significant reputational damage, installation of malware to attack site visitors, and the use of the compromised server for malicious activities like hosting phishing campaigns or participating in botnets.

Immediate Action: Immediately update the Simple User Capabilities plugin for WordPress to the latest patched version. If an update cannot be applied immediately, the plugin should be disabled until it can be patched to remove the attack vector.

Proactive Monitoring: Review web server and WordPress access logs for suspicious POST requests to admin-ajax.php targeting the suc_submit_capabilities action, especially from non-administrative users. Monitor for the creation of new administrative accounts or unexpected changes to existing user roles and permissions.

Compensating Controls: If patching is delayed, implement a Web Application Firewall (WAF) rule to specifically block or alert on requests invoking the suc_submit_capabilities action from users without administrative privileges. Regularly audit user accounts on the WordPress site to detect any unauthorized privilege modifications.

Public Exploit Available: false

Given the critical CVSS score of 9.8 and the high potential for a complete site compromise with minimal attacker effort, this vulnerability poses a severe risk. We strongly recommend that organizations immediately apply the vendor-supplied patch to all affected WordPress instances as a top priority. Although this vulnerability is not currently on the CISA KEV list, its severity makes it a prime candidate for future inclusion. Prioritize patching this vulnerability above all other routine maintenance to prevent unauthorized administrative access and system compromise.