A critical privilege escalation vulnerability exists in the Flex Store Users plugin for WordPress. This flaw allows an unauthenticated attacker to register a new user account with full administrator privileges, granting them complete control over the affected website. Successful exploitation could lead to total system compromise, data theft, and website defacement.

The vulnerability is caused by improper authorization checks within the user registration functions fsUserHandle::signup and fsSellerRole::add_role_seller. These functions fail to validate or restrict the user role that can be assigned during the signup process. An unauthenticated attacker can exploit this by submitting a specially crafted registration request, supplying 'administrator' as the desired user role. If the Flex Store Seller plugin is also active, the fs_type parameter can be used to facilitate the attack, resulting in the creation of a new administrator account under the attacker's control.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Exploitation grants an attacker the highest level of administrative access, leading to a complete compromise of the WordPress site. The potential business impact is severe and includes theft of sensitive data (customer information, PII, payment details), website defacement, distribution of malware to site visitors, and significant reputational damage. An attacker with administrative control could also pivot to attack other systems within the network, escalating the incident's scope.

Immediate Action: Immediately update The Flex Store Users plugin for WordPress to the latest version, which contains a patch for this vulnerability. After updating, conduct a thorough review of all user accounts with administrator privileges to identify and remove any unauthorized accounts that may have been created.

Proactive Monitoring: Review web server access logs for suspicious registration attempts. Specifically, search for POST requests to user registration endpoints containing parameters that specify a user role, such as role=administrator. Monitor for the creation of new administrator accounts from unexpected IP addresses or at unusual times.

Compensating Controls: If immediate patching is not feasible, consider the following mitigating actions:

• Temporarily deactivate the Flex Store Users and Flex Store Seller plugins until they can be updated.
• If user registration is not essential, disable it entirely through the WordPress settings.
• Implement a Web Application Firewall (WAF) with rules designed to block requests that attempt to set an administrative role during registration.

Public Exploit Available: false

Given the critical CVSS score of 9.8 and the potential for complete system compromise by an unauthenticated attacker, this vulnerability poses a severe and immediate risk. Organizations are strongly advised to apply the vendor-supplied patch to the Flex Store Users plugin without delay. A comprehensive audit of existing administrator accounts should be performed immediately to detect any prior compromise. The ease of exploitation means that threat actors will likely begin scanning for and attacking vulnerable systems as soon as this vulnerability becomes widely known.