Vulnerability Description
The Melapress Role Editor plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.1.1. This is due to a misconfigured capability check on the 'save_secondary_roles_field' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to assign themselves additional roles including Administrator.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/browser/melapress-role-editor/tags/1.1.0/clas
- https://plugins.trac.wordpress.org/browser/melapress-role-editor/tags/1.1.0/clas
- https://plugins.trac.wordpress.org/changeset/3439348/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/0509aaf1-8aae-42e5-84d
FAQ
What is CVE-2025-14866?
CVE-2025-14866 is a vulnerability with a CVSS score of 8.8 (HIGH). The Melapress Role Editor plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.1.1. This is due to a misconfigured capability check on the 'save_secondary...
How severe is CVE-2025-14866?
CVE-2025-14866 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-14866?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.