A high-severity privilege escalation vulnerability has been identified in the LC Wizard plugin for WordPress. This flaw allows a low-privileged authenticated user, such as a subscriber, to gain full administrative control over an affected website. Successful exploitation could lead to a complete site compromise, data theft, and further attacks originating from the trusted web server.

The vulnerability exists within the ghl-wizard/inc/wp_user file of the LC Wizard plugin. A function responsible for user management fails to perform a proper capability check, which is a security mechanism in WordPress to ensure a user has the necessary permissions to perform an action. An authenticated attacker with low-level privileges (e.g., a subscriber) can craft a specific request to this vulnerable function to modify their own user role, escalating their privileges to that of an administrator.

This vulnerability is rated as High severity with a CVSS score of 8.1. A successful exploit grants an attacker complete administrative control over the WordPress site, posing a significant risk to the organization. Potential consequences include unauthorized access to and exfiltration of sensitive data (customer PII, transaction records), website defacement, injection of malware to infect site visitors, and using the compromised server for malicious activities like hosting phishing sites or participating in botnets. Such an incident can result in severe reputational damage, financial loss, and potential regulatory penalties for data breaches.

Immediate Action:

• Identify all WordPress instances using the LC Wizard plugin.
• Update the LC Wizard plugin to the latest patched version immediately.
• If the plugin is not essential for business operations, the recommended course of action is to deactivate and completely remove it to eliminate the attack surface.
• Review all user accounts, particularly those with administrative privileges, to identify and revert any unauthorized changes or newly created rogue accounts.

Proactive Monitoring:

• Monitor WordPress audit logs for any unexpected or unauthorized user role changes, specifically promotions to the 'Administrator' role.
• Review web server access logs for suspicious requests targeting the /wp-content/plugins/ghl-wizard/inc/wp_user path.
• Implement File Integrity Monitoring (FIM) to alert on any unauthorized modifications to plugin files or the WordPress core.

Compensating Controls:

• If immediate patching is not feasible, implement a Web Application Firewall (WAF) rule to block or log all access attempts to the vulnerable ghl-wizard/inc/wp_user endpoint.
• Restrict access to the WordPress login and admin areas (/wp-login.php and /wp-admin/) to trusted IP addresses only.
• Enforce a strong password policy and two-factor authentication (2FA) for all user accounts, especially for privileged roles.

Public Exploit Available: false

Given the high CVSS score and the critical impact of a successful privilege escalation attack, this vulnerability must be addressed with high priority. We strongly recommend that organizations immediately apply the vendor-supplied patches by updating the LC Wizard plugin on all affected websites. Although this vulnerability is not currently listed on the CISA KEV list, its severity warrants immediate attention to prevent potential website compromise and data breaches.