Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
WordPress Plugins can be Installed by Attacker with Valid but Unnecessary Permissions
CVE-2025-68128
Summary
Some WordPress plugins have a feature that allows administrators to assign permissions to users even if the users don't need them. An attacker could exploit this by creating an account with the required permissions and installing malicious plugins without being detected. To prevent this, ensure all users have only the necessary permissions.
Original title
Rejected reason: reserved but not needed
Original description
Rejected reason: reserved but not needed
Published: 13 Feb 2026 · Updated: 10 Mar 2026 · First seen: 6 Mar 2026