CVE-2026-10830
WordPress · AllCoach
An improper privilege management vulnerability in the AllCoach WordPress plugin allows authenticated users with lower privileges to perform unauthorized actions.
Executive summary
A high-severity privilege management vulnerability in the AllCoach WordPress plugin allows attackers to escalate privileges and potentially achieve full system control.
Vulnerability
The plugin suffers from Improper Privilege Management (CWE-269), where it fails to properly validate the capabilities of the requesting user. This allows an authenticated user to perform actions beyond their assigned access level, potentially leading to total system compromise.
Business impact
The CVSS score of 8.8 reflects the high risk of unauthorized administrative actions. If exploited, an attacker could gain full control over the WordPress site, modify content, inject malicious code, or access sensitive user data, leading to severe reputational and operational damage.
Remediation
Immediate Action: Update the AllCoach plugin to the latest version (1.0.2 or higher) or remove the plugin if it is no longer required for business operations.
Proactive Monitoring: Review WordPress user roles and permissions, and monitor the audit logs for suspicious administrative actions performed by low-privileged accounts.
Compensating Controls: Utilize a Web Application Firewall (WAF) to detect and block common privilege escalation patterns and unauthorized request attempts against the plugin's endpoints.
Exploitation status
Public Exploit Available: false
Analyst recommendation
Privilege management flaws are critical in CMS environments. Site administrators should immediately update the AllCoach plugin and perform a security audit of all user accounts to ensure no unauthorized elevation of privileges has taken place.