A privilege escalation vulnerability in the Highland Software Custom Role Manager plugin for WordPress could allow an authenticated attacker to gain administrative control over the site.

The plugin lacks proper capability checks during role management operations. An attacker with standard user access can exploit this flaw to modify user roles and escalate their privileges to administrator.

With a CVSS score of 8.8, this is a high-severity vulnerability. Successful exploitation grants an attacker full control over the WordPress site, allowing them to install malicious plugins, exfiltrate data, or modify site content, causing massive reputational and operational damage.

Immediate Action: Update the Custom Role Manager plugin to the latest version. If no update is available, deactivate and remove the plugin immediately.

Proactive Monitoring: Review WordPress user account logs for unexpected role changes or new administrative accounts.

Compensating Controls: Enforce strict WordPress security settings, including the use of strong passwords and multi-factor authentication for all administrative accounts.

Public Exploit Available: false

WordPress administrators must prioritize the update of this plugin. Given the risk of total site compromise, if an update is not immediately available, the plugin should be disabled until a secure version is released to ensure the security of the site's administration.