Vulnerabilities ›

CVE-2026-0844

High

CWE-284 — Weakness Type

                    Published: Jan 28, 2026                      ·  Modified: Feb 28, 2026                      ·  Source: NVD                

CVSS v3

8.8

🔗 NVD Official

📄 Description (English)

The Simple User Registration plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 6.7 due to insufficient restriction on the 'profile_save_field' function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to modify their user role by supplying the 'wp_capabilities' parameter during a profile update.

🤖 AI Executive Summary

CVE-2026-0844 is a privilege escalation vulnerability in the Simple User Registration WordPress plugin (versions ≤6.7) that allows authenticated subscribers to elevate their privileges to administrator by manipulating the 'wp_capabilities' parameter during profile updates. With a CVSS score of 8.8 and no exploit currently available, this poses a significant risk to WordPress installations in Saudi Arabia. Immediate patching is critical as the vulnerability requires only basic user access and could lead to complete site compromise.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: Apr 22, 2026 08:19

🇸🇦 Saudi Arabia Impact Assessment

This vulnerability poses significant risk to Saudi organizations using WordPress with the Simple User Registration plugin, particularly: (1) Government agencies and NCA-regulated entities hosting public portals or citizen services; (2) Banking and financial institutions (SAMA-regulated) using WordPress for customer-facing applications; (3) Healthcare providers and SEHA-affiliated organizations managing patient portals; (4) E-commerce and retail sectors relying on WordPress for online services; (5) Telecommunications companies (STC, Mobily, Zain) with WordPress-based customer platforms. The privilege escalation could lead to unauthorized access to sensitive data, system compromise, and regulatory violations under NCA ECC 2024 and SAMA CSF frameworks.

🏢 Affected Saudi Sectors

Government and Public Administration Banking and Financial Services Healthcare and Medical Services Energy and Utilities Telecommunications E-commerce and Retail Education Insurance

🎯 MITRE ATT&CK Techniques

T1548 - Abuse Elevation Control Mechanism T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control T1078 - Valid Accounts T1078.001 - Valid Accounts: Default Accounts T1098 - Account Manipulation T1098.001 - Account Manipulation: Additional Cloud Credentials T1136 - Create Account T1136.003 - Create Account: Cloud Account T1087 - Account Discovery T1087.001 - Account Discovery: Local Account T1110 - Brute Force T1110.001 - Brute Force: Password Guessing

⚖️ Saudi Risk Score (AI)

8.2

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Identify all WordPress installations using Simple User Registration plugin version 6.7 or earlier

2. Disable the plugin immediately if not critical to operations

3. Restrict user registration and profile update functionality until patching is complete

4. Review user roles and capabilities for unauthorized privilege escalations



PATCHING GUIDANCE:

1. Update Simple User Registration plugin to version 6.8 or later immediately

2. Test updates in staging environment before production deployment

3. Verify plugin functionality post-update



COMPENSATING CONTROLS (if immediate patching not possible):

1. Implement Web Application Firewall (WAF) rules to block requests containing 'wp_capabilities' parameter in profile update endpoints

2. Restrict profile update functionality to administrators only via WordPress role management

3. Disable user self-registration and profile editing features

4. Implement strict input validation on all user-submitted data



DETECTION RULES:

1. Monitor WordPress logs for POST requests to profile update endpoints containing 'wp_capabilities' parameter

2. Alert on user role changes from subscriber/contributor to administrator/editor

3. Monitor wp_usermeta table for unauthorized wp_capabilities modifications

4. Track failed and successful authentication attempts to identify privilege escalation attempts

5. Implement SIEM rules: (wp_capabilities in POST data) AND (user_role_change from low to high privilege)

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. تحديد جميع تثبيتات WordPress التي تستخدم مكون Simple User Registration الإصدار 6.7 أو أقدم

2. تعطيل المكون فوراً إذا لم يكن حرجاً للعمليات

3. تقييد وظائف تسجيل المستخدمين وتحديث الملف الشخصي حتى اكتمال التصحيح

4. مراجعة أدوار المستخدمين والقدرات للكشف عن تصعيد الامتيازات غير المصرح به

إرشادات التصحيح:

1. تحديث مكون Simple User Registration إلى الإصدار 6.8 أو أحدث فوراً

2. اختبار التحديثات في بيئة التطوير قبل نشرها في الإنتاج

3. التحقق من وظائف المكون بعد التحديث

الضوابط البديلة (إذا لم يكن التصحيح الفوري ممكناً):

1. تنفيذ قواعد جدار الحماية لتطبيقات الويب (WAF) لحجب الطلبات التي تحتوي على معامل 'wp_capabilities' في نقاط نهاية تحديث الملف الشخصي

2. تقييد وظائف تحديث الملف الشخصي للمسؤولين فقط عبر إدارة أدوار WordPress

3. تعطيل ميزات التسجيل الذاتي وتحرير الملف الشخصي للمستخدمين

4. تنفيذ التحقق الصارم من صحة جميع البيانات المقدمة من المستخدمين

قواعد الكشف:

1. مراقبة سجلات WordPress للطلبات POST إلى نقاط نهاية تحديث الملف الشخصي التي تحتوي على معامل 'wp_capabilities'

2. التنبيه عند تغييرات أدوار المستخدمين من مشترك/مساهم إلى مسؤول/محرر

3. مراقبة جدول wp_usermeta للتعديلات غير المصرح بها على wp_capabilities

4. تتبع محاولات المصادقة الفاشلة والناجحة لتحديد محاولات تصعيد الامتيازات

5. تنفيذ قواعد SIEM: (wp_capabilities في بيانات POST) و (تغيير دور المستخدم من امتياز منخفض إلى مرتفع)

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

A.5.1.1 - Information security policies and procedures A.6.1.2 - Access control and user management A.6.2.1 - User registration and de-registration A.6.2.2 - User access provisioning A.7.1.1 - Physical and logical access controls A.8.2.1 - Classification of information assets A.9.1.1 - Event logging and monitoring A.12.4.1 - Event logging requirements

🔵 SAMA CSF

ID.AM-1 - Asset Management PR.AC-1 - Access Control Policy PR.AC-4 - Access Rights Management DE.CM-1 - System Monitoring DE.CM-3 - Unauthorized Software Detection RS.AN-1 - Characterization of Incident

🟡 ISO 27001:2022

A.5.1.1 - Information security policies A.6.1.2 - Access control A.6.2.1 - User registration and access provisioning A.8.1.1 - Inventory of assets A.8.2.1 - Classification of information A.8.3.1 - Handling of assets A.9.1.1 - Access control policy A.9.2.1 - User access management A.9.2.5 - Access rights review A.12.4.1 - Event logging

🟣 PCI DSS v4.0

Requirement 1.1 - Firewall configuration standards Requirement 2.1 - Default security parameters Requirement 6.2 - Security patches Requirement 7.1 - Access control implementation Requirement 8.1 - User identification and authentication Requirement 8.2 - User access provisioning Requirement 10.1 - System activity logging

🔗 References & Sources 3

🔗

https://plugins.trac.wordpress.org/browser/wp-registration/tags/6.7/inc/classes/class.p...

security@wordfence.com

🔗

https://plugins.trac.wordpress.org/browser/wp-registration/tags/6.7/inc/classes/class.u...

security@wordfence.com

🔗

https://www.wordfence.com/threat-intel/vulnerabilities/id/bb0e77e1-7e9f-4f7e-8953-c86ab...

security@wordfence.com

📊 CVSS Score

8.8

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityH — High

IntegrityH — High

AvailabilityH — High

📋 Quick Facts

Severity High

CVSS Score8.8

CWECWE-284

EPSS0.03%

Exploit No

Patch ✓ Yes

Published 2026-01-28

Source Feed nvd

🇸🇦 Saudi Risk Score

8.2

/ 10.0 — Saudi Risk

Priority: CRITICAL

🏷️ Tags

CWE-284

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2026-0844

Introduce Yourself

Sign In Required