CVE-2026-57813
properfraction · MailOptin
The MailOptin plugin for WordPress contains an incorrect privilege assignment vulnerability, allowing unauthenticated attackers to escalate their privileges to administrative levels.
Executive summary
A critical privilege escalation vulnerability in the MailOptin plugin enables unauthenticated attackers to gain administrative access, granting them complete control over the affected WordPress installation.
Vulnerability
This is an Incorrect Privilege Assignment (CWE-266) vulnerability. The plugin fails to perform adequate capability checks, allowing an unauthenticated remote attacker to manipulate user roles and escalate privileges without authorization.
Business impact
An attacker gaining administrative privileges can fully compromise the WordPress environment, including the ability to install malicious plugins, modify site content, and access sensitive user data. The CVSS score of 9.8 reflects the ease of exploitation and the total impact on confidentiality, integrity, and availability, necessitating urgent remediation.
Remediation
Immediate Action: Update the MailOptin plugin to a version beyond 1.2.77.3 immediately to resolve the privilege assignment flaw.
Proactive Monitoring: Audit user account lists for suspicious new administrator accounts or unauthorized changes to existing user roles.
Compensating Controls: Implement a WAF to monitor and block requests that attempt to modify user settings or call administrative functions from unauthorized sessions.
Exploitation status
Public Exploit Available: No
Analyst recommendation
This vulnerability presents a catastrophic risk to the security of the affected WordPress instance. Security teams must prioritize applying the update and performing a post-patch audit of all user accounts to ensure no unauthorized administrative accounts were created during the exposure window.