WordPress Plugin Vulnerabilities

DD Roles <= 4.1 - Authenticated (Subscriber+) Privilege Escalation

Description

The DD Roles plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 4.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to that of an administrator.

Affects Plugins

Plugin icon
dd-roles
No known fix

References

CVE
CVE-2025-23528
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/6001660c-4b18-473d-a07d-30e0f7af29d1

Classification

Type
PRIVESC
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-269
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Mika
Verified
No
WPVDB ID
b95c8965-517c-4be5-9793-7cabd26dd343

Timeline

Publicly Published
2025-01-16 (about 1 year ago)
Added
2025-01-27 (about 1 year ago)
Last Updated
2025-01-27 (about 1 year ago)

Other

Published
Title
Published
2025-10-17
Title
Sale! Immigration law, Visa services support, Migration Agent Consulting <= 1.5.8 - Authenticated (Subscriber+) Privilege Escalation
Published
2023-08-21
Title
MasterStudy LMS < 3.0.18 - Unauthenticated Instructor Account Creation
Published
2025-07-31
Title
DELUCKS SEO < 2.6.1 - Authenticated (Subscriber+) Privilege Escalation
Published
2025-01-14
Title
User Management <= 1.2 - Authenticated (Subscriber+) Privilege Escalation
Published
2025-07-31
Title
Service Finder SMS System <= 2.0.0 - Unauthenticated Privilege Escalation