A critical privilege escalation vulnerability in the Woocommerce Wholesale Lead Capture plugin allows users to gain unauthorized elevated permissions, potentially compromising the entire WordPress site.

The plugin contains an "Incorrect Privilege Assignment" flaw. This typically occurs when a plugin fails to properly validate user roles during registration or profile updates, allowing a standard user to assign themselves administrative or other high-level privileges.

Successful exploitation allows an attacker to take full control of the WordPress site, leading to data breaches, site defacement, or the installation of malware. The CVSS score of 9.8 reflects the extreme severity of allowing an unprivileged user to become an administrator, resulting in a total loss of confidentiality, integrity, and availability.

Immediate Action: Update the Woocommerce Wholesale Lead Capture plugin to version 2.0.3.2 or the latest version available from the vendor.

Proactive Monitoring: Audit WordPress user accounts for any unauthorized changes to user roles, particularly new administrator accounts created through the wholesale lead capture forms.

Compensating Controls: Implement a "Least Privilege" model and use security plugins that alert on any changes to the administrator user group.

Public Exploit Available: false

This vulnerability poses a critical threat to site integrity. Organizations must apply the latest security updates for the Woocommerce Wholesale Lead Capture plugin immediately to prevent unauthorized users from gaining administrative control.