CVE-2025-22736

High

Published: 15 January 2025

Published

15 January 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0021 43.4th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Incorrect Privilege Assignment vulnerability in Saad Iqbal User Management user-management allows Privilege Escalation.This issue affects User Management: from n/a through <= 1.2.

Security Summary

CVE-2025-22736 is an Incorrect Privilege Assignment vulnerability (CWE-266) in the User Management WordPress plugin developed by Saad Iqbal. The flaw enables privilege escalation and affects the plugin from its initial release through version 1.2.

With a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), the vulnerability can be exploited over the network by an authenticated user possessing low privileges, requiring low complexity and no user interaction. Successful exploitation grants the attacker high-impact access to confidentiality, integrity, and availability, allowing escalation to higher privileges such as administrator rights on the affected WordPress site.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/user-management/vulnerability/wordpress-user-management-plugin-1-2-privilege-escalation-vulnerability?_s_id=cve details this privilege escalation issue in User Management plugin version 1.2. Security practitioners should review the advisory for mitigation guidance and patch information.

Details

CWE(s): CWE-266

References

https://patchstack.com/database/Wordpress/Plugin/user-management/vulnerability/wordpress-user-management-plugin-1-2-privilege-escalation-vulnerability?_s_id=cve
audit@patchstack.com