CVE-2026-4314 HIGH

CVE-2026-4314: The Ultimate WordPress Toolkit – WP Extended <= 3.2.4 - Authenticated (Subscriber+) Privilege Escalation via Menu Editor Module

Vendor Wpextended

Product The Ultimate WordPress Toolkit – WP Extended

Weakness CWE-269

Published March 22, 2026

Last update April 8, 2026

View on NVD All CVEs

CVSS base score

8.8/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

Description

The 'The Ultimate WordPress Toolkit – WP Extended' plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.2.4. This is due to the `isDashboardOrProfileRequest()` method in the Menu Editor module using an insecure `strpos()` check against `$_SERVER['REQUEST_URI']` to determine if a request targets the dashboard or profile page. The `grantVirtualCaps()` method, which is hooked into the `user_has_cap` filter, grants elevated capabilities including `manage_options` when this check returns true. This makes it possible for authenticated attackers, with Subscriber-level access and above, to gain administrative capabilities by appending a crafted query parameter to any admin URL, allowing them to update arbitrary WordPress options and ultimately create new Administrator accounts.

Key dates

Disclosure timeline

March 22, 2026 CVE published

April 8, 2026 Record updated

Identifiers

CVE CVE-2026-4314

CWE CWE-269

CVSS 8.8 / HIGH

Affected versions

Vendor Wpextended

Product The Ultimate WordPress Toolkit – WP Extended

Affected ≤ 3.2.4