CVE-2025-11620 HIGH

CVE-2025-11620: Multiple Roles per User <= 1.0 - Missing Authorization to Authenticated (Custom+) Privilege Escalation

Vendor Jemoreto
Product Multiple Roles per User
Weakness CWE-862 · Missing authorization
Published November 18, 2025
Last update April 8, 2026

CVSS base score

7.2/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The Multiple Roles per User plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'mrpu_add_multiple_roles_ui' and 'mrpu_save_multiple_user_roles' functions in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, granted the 'edit_users' capability, to edit any user's role, including promoting users to Administrator and demoting Administrators to lower-privileged roles.

Explanation of Vulnerability in Simple Terms

02Summary

Multiple Roles per User versions 1.0 and earlier contain an authorization bypass that allows high-privileged users to access or modify sensitive data and functionality they should not have permission to use. The vulnerability requires an authenticated account with elevated privileges to exploit. No user interaction is needed once an attacker gains high-level access.

What an attacker can do

03Attacker Capabilities

Read, modify, or delete sensitive data and functionality beyond their assigned role permissions.

Potential impact on your site

04Site Impact

Privileged users can escalate their access to perform unauthorized actions, risking data breach or site compromise.

Conditions required to exploit

05Prerequisites

Attacker must have a high-privilege account (e.g., administrator or manager role) on the site.

Key dates

06Disclosure timeline

November 18, 2025 CVE published
April 8, 2026 Record updated