A critical privilege escalation flaw in CouchCMS allows administrative users to gain full SuperAdmin control through parameter tampering.

The vulnerability exists in the user creation process where the f_k_levels_list parameter is not properly validated, allowing an authenticated Admin-level user to escalate their own or a new account's privileges to SuperAdmin status.

This flaw allows for full system compromise from a lower-privileged administrative account. With a CVSS score of 7.2, the ability for an attacker to grant themselves SuperAdmin rights represents a severe threat to system integrity, potentially leading to unauthorized data exfiltration and total platform control.

Immediate Action: Update to the latest version of CouchCMS that addresses the improper parameter validation in user creation.

Proactive Monitoring: Review user account creation logs and audit all accounts with SuperAdmin privileges to identify any unauthorized escalations.

Compensating Controls: Restrict administrative panel access to trusted IP addresses and implement multi-factor authentication for all high-privilege accounts.

Public Exploit Available: false

Organizations using CouchCMS must address this privilege escalation vulnerability immediately. Administrators should audit all current account permissions and apply the vendor patch to prevent internal actors or compromised accounts from escalating to SuperAdmin level.