Profitori WordPress Plugin Privilege Escalation Vulnerability

Vulnerability

A privilege escalation vulnerability has been identified in the Profitori plugin for WordPress, affecting versions 2.0.6.0 prior to 2.1.1.3. The issue arises from a missing capability check on the stocktend_object endpoint, which allows unauthenticated attackers to invoke the save_object_as_user() function for objects with a '_datatype' of 'users'. This exploitation enables the attacker to write arbitrary strings into the user's wp_capabilities meta field, potentially elevating the privileges of an existing user account or a newly created one to that of an administrator.

Impact

Exploitation of this vulnerability could lead to unauthorized privilege escalation, allowing a user to gain administrative rights on the WordPress site.

Added: Sep 1, 2025, 7:22 PM

Updated: Sep 1, 2025, 7:22 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

7.4

remediation

0.0

relevance

0.1

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

7.4

remediation

0.0

relevance

0.1

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Profitori WordPress Plugin Privilege Escalation Vulnerability

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating