What the vulnerability does
01Description
The WP Freeio plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.2.21. This is due to the process_register() function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site.
Explanation of Vulnerability in Simple Terms
02Summary
WP Freeio versions up to 1.2.21 contain a privilege management flaw that allows unauthenticated attackers to gain full control of the site. The vulnerability requires no user interaction and can be exploited over the network. An attacker can read sensitive data, modify site content, and disrupt service.
What an attacker can do
03Attacker Capabilities
Gain full administrative control of the site without authentication.
Potential impact on your site
04Site Impact
Complete site compromise: attackers can steal data, modify content, create accounts, and take the site offline.
Conditions required to exploit
05Prerequisites
Network access only; no authentication or user interaction required.
Key dates
06Disclosure timeline
October 11, 2025
CVE published
April 8, 2026
Record updated