CVE-2025-12158
Published: 04 November 2025
Description
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Security Summary
CVE-2025-12158, published on 2025-11-04, is a privilege escalation vulnerability in the Simple User Capabilities plugin for WordPress. It arises from a missing capability check in the suc_submit_capabilities() function, affecting all versions up to and including 1.0. The issue is rated critical with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-862 (Missing Authorization).
Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction or privileges required. Successful exploitation allows them to elevate the role of any user account to administrator, potentially granting full control over the WordPress site and leading to high impacts on confidentiality, integrity, and availability.
Advisories and references, including the Wordfence threat intelligence page, the official WordPress plugin page, and the plugin's source code on SVN, provide further details on the vulnerability. Security practitioners should review these for any patch availability or recommended actions, such as plugin deactivation.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Unauthenticated remote exploitation of a public-facing WordPress plugin vulnerability enables initial access (T1190) and privilege escalation to administrator (T1068).