Simple User Capabilities

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

The Simple User Capabilities plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the suc_submit_capabilities() function in all versions up to, and including, 1.0. This makes it possible for unauthenticated attackers to elevate the role of any user account to administrator.

AI Analysis

Privilege Escalation vulnerability in the Simple User Capabilities plugin due to a missing capability check

Basic Information

ID CVE-2025-12158

Source Wordfence

Published Nov 4, 2025 at 04:27

Affected Product

Vendor tanvirahmed1984

Product Simple User Capabilities

Version *

Affected Versions tanvirahmed1984 Simple User Capabilities *

CWE Classification

CWE-862

AI Assessment

AI Score 9.8 / 10

AI Severity Critical

Vendor tanvirahmed1984

Product Simple User Capabilities

Version 1.0

References

{
    "lastseen": "",
    "description": "The Simple User Capabilities plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the suc_submit_capabilities() function in all versions up to, and including, 1.0. This makes it possible for unauthenticated attackers to elevate the role of any user account to administrator.",
    "published": "2025-11-04T04:27:22.881Z",
    "modified": "2025-11-04T04:27:22.881Z",
    "type": "cve",
    "title": "Simple User Capabilities <= 1.0 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation",
    "source": "Wordfence",
    "references": "https://www.wordfence.com/threat-intel/vulnerabilities/id/dd75b8ec-1961-4a7a-92e6-1517e638974b?source=cve\nhttps://plugins.svn.wordpress.org/simple-user-capabilities/tags/1.0/user_access.php\nhttps://wordpress.org/plugins/simple-user-capabilities/",
    "id": "CVE-2025-12158",
    "bulletinFamily": "",
    "cwe": [
        "CWE-862"
    ],
    "cvelist": null,
    "sourceData": "tanvirahmed1984 Simple User Capabilities *",
    "sourceHref": "",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Simple User Capabilities",
    "version": "*",
    "vendor": "tanvirahmed1984",
    "ai_description": "Privilege Escalation vulnerability in the Simple User Capabilities plugin due to a missing capability check",
    "ai_severity": "Critical",
    "ai_vendor": "tanvirahmed1984",
    "ai_product": "Simple User Capabilities",
    "ai_version": "1.0",
    "ai_score": 9.8
}

Simple User Capabilities <= 1.0 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation_CVE-2025-12158