CVE-2026-10830

WordPress · AllCoach

An improper privilege management vulnerability in the AllCoach WordPress plugin allows authenticated users with lower privileges to perform unauthorized actions.

Executive summary

A high-severity privilege management vulnerability in the AllCoach WordPress plugin allows attackers to escalate privileges and potentially achieve full system control.

Vulnerability

The plugin suffers from Improper Privilege Management (CWE-269), where it fails to properly validate the capabilities of the requesting user. This allows an authenticated user to perform actions beyond their assigned access level, potentially leading to total system compromise.

Business impact

The CVSS score of 8.8 reflects the high risk of unauthorized administrative actions. If exploited, an attacker could gain full control over the WordPress site, modify content, inject malicious code, or access sensitive user data, leading to severe reputational and operational damage.

Remediation

Immediate Action: Update the AllCoach plugin to the latest version (1.0.2 or higher) or remove the plugin if it is no longer required for business operations.

Proactive Monitoring: Review WordPress user roles and permissions, and monitor the audit logs for suspicious administrative actions performed by low-privileged accounts.

Compensating Controls: Utilize a Web Application Firewall (WAF) to detect and block common privilege escalation patterns and unauthorized request attempts against the plugin's endpoints.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Privilege management flaws are critical in CMS environments. Site administrators should immediately update the AllCoach plugin and perform a security audit of all user accounts to ensure no unauthorized elevation of privileges has taken place.