CVE-2025-23528

High

Published: 16 January 2025

Published

16 January 2025

Modified

29 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0011 29.2th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Incorrect Privilege Assignment vulnerability in Mosterd3d DD Roles dd-roles allows Privilege Escalation.This issue affects DD Roles: from n/a through <= 4.1.

Security Summary

CVE-2025-23528 is an Incorrect Privilege Assignment vulnerability (CWE-266) in the DD Roles WordPress plugin developed by Mosterd3d. The flaw allows for privilege escalation and affects all versions of the dd-roles plugin from n/a through 4.1 inclusive.

The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). It can be exploited over the network by an authenticated attacker with low privileges, requiring low complexity and no user interaction. Successful exploitation grants high impacts on confidentiality, integrity, and availability, enabling privilege escalation within the affected WordPress installation.

Patchstack advisories document this privilege escalation vulnerability in the DD Roles plugin up to version 4.1, providing details on the issue at https://patchstack.com/database/Wordpress/Plugin/dd-roles/vulnerability/wordpress-dd-roles-plugin-4-1-privilege-escalation-vulnerability?_s_id=cve.

Details

CWE(s): CWE-266

References

https://patchstack.com/database/Wordpress/Plugin/dd-roles/vulnerability/wordpress-dd-roles-plugin-4-1-privilege-escalation-vulnerability?_s_id=cve
audit@patchstack.com