WordPress Plugin Vulnerabilities

Vitepos < 3.4.2 - Outlet Manager+ Privilege Escalation

Description

The plugin does not properly restrict the roles that can be assigned when creating new users via one of its REST API endpoints, allowing authenticated users with a custom plugin role to escalate privileges to administrator.

Proof of Concept

Affects Plugins

Plugin icon
vitepos-lite
Fixed in 3.4.2

References

CVE
CVE-2026-8157

Classification

Type
PRIVESC
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-269
CVSS
7.2 (high)

Miscellaneous

Original Researcher
Real_King_Engine (ISAL FRAMEWORK)
Submitter
Real_King_Engine (ISAL FRAMEWORK)
Verified
Yes
WPVDB ID
6680cc6a-9758-4040-bb39-7b9545041dc3

Timeline

Publicly Published
2026-06-01 (about 21 days ago)
Added
2026-06-01 (about 20 days ago)
Last Updated
2026-06-19 (about 2 days ago)

Other

Published
Title
Published
2026-05-19
Title
Read More & Accordion <= 3.5.7 - Privilege Escalation via importData
Published
2025-08-19
Title
CubeWP Framework < 1.1.25 - Subscriber+ Privilege Escalation
Published
2020-03-11
Title
Import Export WordPress Users < 1.3.9 - Authenticated Arbitrary User Creation
Published
2026-03-02
Title
LMS Elementor Pro <= 1.0.4 - Unauthenticated Privilege Escalation
Published
2024-08-02
Title
JetFormBuilder < 3.3.4.2 - Authenticated (Administrator+) Privilege Escalation