Vulnerability Description
The Highland Software Custom Role Manager plugin for WordPress is vulnerable to Privilege Escalation in versions up to and including 1.0.0. This is due to insufficient authorization checks in the hscrm_save_user_roles() function, which is hooked to the personal_options_update action accessible by any authenticated user. This makes it possible for authenticated attackers, with Subscriber-level access or higher, to potentially modify user roles via the profile update form.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/browser/highland-software-custom-role-manager
- https://plugins.trac.wordpress.org/browser/highland-software-custom-role-manager
- https://plugins.trac.wordpress.org/browser/highland-software-custom-role-manager
- https://plugins.trac.wordpress.org/browser/highland-software-custom-role-manager
- https://plugins.trac.wordpress.org/browser/highland-software-custom-role-manager
- https://plugins.trac.wordpress.org/browser/highland-software-custom-role-manager
- https://plugins.trac.wordpress.org/browser/highland-software-custom-role-manager
- https://www.wordfence.com/threat-intel/vulnerabilities/id/80a258a6-634c-4d7d-981
FAQ
What is CVE-2026-7106?
CVE-2026-7106 is a vulnerability with a CVSS score of 8.8 (HIGH). The Highland Software Custom Role Manager plugin for WordPress is vulnerable to Privilege Escalation in versions up to and including 1.0.0. This is due to insufficient authorization checks in the hscr...
How severe is CVE-2026-7106?
CVE-2026-7106 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-7106?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.