Primary

Context

Simple User Capabilities WordPress Plugin Missing Authorization Vulnerability in AJAX Endpoint

Vulnerability

A vulnerability exists in the Simple User Capabilities plugin for WordPress, all versions through 1.0, allowing unauthorized data modification. The issue arises from a missing capability check on the 'wp_ajax_nopriv_reset_capability' AJAX endpoint, enabling unauthenticated attackers to reset any user's capabilities.

Impact

Exploitation of this vulnerability allows unauthenticated users to reset the capabilities of any user, potentially leading to unauthorized access or privilege escalation.

Remediation

No known patch is available. It is recommended to uninstall the affected plugin and find a replacement.

Added: Nov 4, 2025, 5:41 AM

Updated: Nov 4, 2025, 5:41 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

8.1

remediation

0.0

relevance

1.0

threat

3.2

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

8.1

remediation

0.0

relevance

1.0

threat

3.2

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Simple User Capabilities WordPress Plugin Missing Authorization Vulnerability in AJAX Endpoint

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating