Volerion logoVolerion
Volerion logoVolerion

Ovic Responsive WPBakery WordPress Plugin Privilege Escalation Vulnerability

Vulnerability

A vulnerability in the Ovic Responsive WPBakery WordPress plugin, affecting versions prior to 1.2.9, allows authenticated users with a subscriber or higher role to exploit AJAX actions that lack proper validation. This oversight enables them to modify critical blog options, such as 'users_can_register' and 'default_role'. Additionally, the plugin's practice of unserializing user input could lead to Object Injection attacks.

Impact

Exploitation of this vulnerability could result in unauthorized privilege escalation, allowing a subscriber to gain administrative rights.

Reproduction

To reproduce this vulnerability, log into a WordPress site as a subscriber. Then, send a POST request to 'wp-admin/admin-ajax.php' with the 'action' parameter set to 'ovic_vc_import_options' and include a payload that exploits the vulnerability by modifying blog options. After the request is processed, log out and create a new account, which will be automatically assigned the 'administrator' role.

Remediation

Users are advised to update the Ovic Responsive WPBakery WordPress plugin to version 1.2.9 or later.

Added: May 15, 2026, 11:35 AM
Updated: May 15, 2026, 11:35 AM

Vulnerability Rating

Custom Algorithm
spread
1.0
impact
2.5
exploitability
6.8
remediation
7.7
relevance
0.0
threat
6.4
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.