CVE-2026-7106: WordPress Plugin Privilege Escalation Exposes User Roles

/HIGH /CVSS 8.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severityprivilege-escalationcwe-269
CVE-2026-7106: WordPress Plugin Privilege Escalation Exposes User Roles

The Highland Software Custom Role Manager plugin for WordPress, in versions up to and including 1.0.0, is vulnerable to a privilege escalation flaw, according to the National Vulnerability Database. This high-severity vulnerability (CVSS 8.8) stems from insufficient authorization checks within the hscrm_save_user_roles() function.

This function is hooked to the personal_options_update action, which is accessible to any authenticated WordPress user. This means an attacker with even a Subscriber-level account can exploit this weakness via the profile update form to modify user roles, potentially elevating their privileges or those of other users.

While the National Vulnerability Database does not specify affected products beyond the plugin itself, the implications are clear. Any WordPress site running this plugin version is at risk. Defenders must understand that this isn’t a zero-day requiring complex exploits; it’s a simple authenticated privilege escalation, an attacker’s bread and butter for lateral movement and persistence.

What This Means For You

  • If your organization uses the Highland Software Custom Role Manager plugin for WordPress, you are exposed. Immediately audit your WordPress installations for this plugin and ensure it is either removed or updated to a patched version once available. If you cannot patch, consider deactivating it or restricting access to user profile updates for non-administrative users. Review user role changes in logs for any suspicious activity.

Related ATT&CK Techniques

T1078.004 Abuse Elevated Privileges: User Account Manipulation Privilege Escalation T1136.003 Create Account: Local Account Privilege Escalation

🛡️ Detection Rules

2 rules · 6 SIEM formats

2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1078.004 Privilege Escalation

CVE-2026-7106: WordPress Custom Role Manager Privilege Escalation via Profile Update

Sigma YAML — free preview 
title: CVE-2026-7106: WordPress Custom Role Manager Privilege Escalation via Profile Update
id: scw-2026-04-27-ai-1
status: experimental
level: high
description: |
  Detects attempts to exploit CVE-2026-7106 by monitoring POST requests to the WordPress profile update endpoint ('/wp-admin/profile.php') with the 'action=update-user' query parameter. This specific action is associated with the vulnerable hscrm_save_user_roles() function in the Highland Software Custom Role Manager plugin, allowing authenticated users with subscriber-level access to escalate their privileges by modifying user roles.
author: SCW Feed Engine (AI-generated)
date: 2026-04-27
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-7106/
tags:
  - attack.privilege_escalation
  - attack.t1078.004
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/wp-admin/profile.php'
      cs-method|exact:
          - 'POST'
      cs-uri-query|contains:
          - 'action=update-user'
  selection_base:
      sc-status|exact:
          - '200'
  condition: selection AND selection_base
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-7106 Privilege Escalation Highland Software Custom Role Manager plugin for WordPress
CVE-2026-7106 Privilege Escalation Highland Software Custom Role Manager plugin version <= 1.0.0
CVE-2026-7106 Privilege Escalation Vulnerable function: hscrm_save_user_roles()
CVE-2026-7106 Privilege Escalation Vulnerable action hook: personal_options_update
CVE-2026-7106 Privilege Escalation Attack vector: authenticated users (Subscriber-level or higher) modifying user roles via profile update form

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedApril 27, 2026 at 06:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-7085 — The Function Z.Url Of The File Src/Routes/Setting/About/Down Path Traversal

CVE-2026-7085 — A vulnerability was determined in HBAI-Ltd Toonflow-app up to 1.1.1. This vulnerability affects the function z.url of the file src/routes/setting/about/downloadApp.ts of the component...

vulnerabilityCVEmedium-severitypath-traversalcwe-22
/SCW Vulnerability Desk /MEDIUM /5 /⚑ 2 IOCs /⚙ 3 Sigma

CVE-2026-7084 — HBAI-Ltd Toonflow-App Server-Side Request Forgery

CVE-2026-7084 — A vulnerability was found in HBAI-Ltd Toonflow-app up to 1.1.1. This affects the function fetch of the file src/routes/setting/vendorConfig/getCodeByLink.ts of the component getCodeByLink...

vulnerabilityCVEmedium-severityserver-side-request-forgerycwe-918
/SCW Vulnerability Desk /MEDIUM /6.3 /⚑ 2 IOCs /⚙ 3 Sigma

CVE-2026-7083 — Likeadmin-Likeshop Likeadmin_php SQL Injection

CVE-2026-7083 — A vulnerability has been found in likeadmin-likeshop likeadmin_php up to 1.9.6. Affected by this issue is the function queryResult of the file server\app\adminapi\lists\tools\DataTableLists.php...

vulnerabilityCVEmedium-severitysql-injectioncwe-74cwe-89
/SCW Vulnerability Desk /MEDIUM /4.7 /⚑ 3 IOCs /⚙ 3 Sigma