A missing capability check in the Starfish Review Generation & Marketing plugin allows unauthorized users to modify site data, potentially leading to full privilege escalation.

The vulnerability exists in the srm_restore_options_defaults function, which lacks a proper capability check. This allows authenticated attackers with minimal permissions (or unauthenticated attackers, depending on the implementation) to reset or modify plugin options, facilitating privilege escalation.

Unauthorized data modification can disrupt marketing efforts and, more critically, allow an attacker to gain higher-level administrative permissions. With a CVSS score of 8.8, this vulnerability poses a high risk to site integrity and could lead to a complete takeover of the WordPress instance.

Immediate Action: Update the Starfish Review Generation & Marketing plugin to the latest version immediately to apply the necessary authorization checks.

Proactive Monitoring: Review WordPress user roles and permissions for any unauthorized changes and monitor for unexpected resets in plugin configurations.

Compensating Controls: Employ a security plugin that monitors for unauthorized changes to the WordPress options table and alerts administrators of suspicious activity.

Public Exploit Available: false

The high severity of this privilege escalation flaw necessitates immediate remediation. Administrators should verify that all users have only the minimum necessary permissions and apply the plugin update to prevent unauthorized administrative access.