A high-severity privilege escalation vulnerability in the WP Extended plugin allows attackers to gain unauthorized administrative control over WordPress sites.

This vulnerability allows an authenticated attacker with low-level permissions to escalate their privileges to those of an administrator. This is typically caused by a lack of proper capability checks in the plugin's functional code.

Successful exploitation results in a complete site takeover. An attacker with administrative privileges can delete content, steal user data, install malicious scripts, and potentially use the site to distribute malware. The CVSS score of 8.8 reflects the high impact on site integrity and confidentiality.

Immediate Action: Update the WP Extended plugin to the latest version immediately. If the plugin is not essential, consider deactivating and removing it.

Proactive Monitoring: Review the list of administrative users for any unauthorized accounts and audit recent changes to site settings or plugin configurations.

Compensating Controls: Implement the principle of least privilege by limiting the number of users with any level of dashboard access and using a security plugin to monitor for privilege escalation attempts.

Public Exploit Available: false

Immediate remediation is required. Privilege escalation bypasses the fundamental security model of WordPress, making the application of the vendor's patch a critical priority for site administrators.