What the vulnerability does
01Description
The Multiple Roles per User plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'mrpu_add_multiple_roles_ui' and 'mrpu_save_multiple_user_roles' functions in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, granted the 'edit_users' capability, to edit any user's role, including promoting users to Administrator and demoting Administrators to lower-privileged roles.
Explanation of Vulnerability in Simple Terms
02Summary
Multiple Roles per User versions 1.0 and earlier contain an authorization bypass that allows high-privileged users to access or modify sensitive data and functionality they should not have permission to use. The vulnerability requires an authenticated account with elevated privileges to exploit. No user interaction is needed once an attacker gains high-level access.
What an attacker can do
03Attacker Capabilities
Read, modify, or delete sensitive data and functionality beyond their assigned role permissions.
Potential impact on your site
04Site Impact
Privileged users can escalate their access to perform unauthorized actions, risking data breach or site compromise.
Conditions required to exploit
05Prerequisites
Attacker must have a high-privilege account (e.g., administrator or manager role) on the site.
Key dates
06Disclosure timeline
November 18, 2025
CVE published
April 8, 2026
Record updated