Vulnerabilities and security researches formultiple-roles multiple-roles

Jun 16, 2026

CVE, Research URL: e03420c55099714ac90da016761d318e5e1cb6db
Home page URL: Security reports for Multiple Roles
Application: Multiple Roles
Date: -
Research Description: Multiple Roles [multiple-roles] <= 1.3.1 (unfixed) Various Affected Software (Various Versions) - Cross-Site Request Forgery Bypass Over 70 plugins and themes were vulnerable to Cross-Site Request Forgery due to improperly implemented nonce protection that could be bypassed.
Affected versions: max 1.3.1.
Status: vulnerable

CVE, Research URL: 3725296b-c316-440a-875a-3068fb876b3b
Home page URL: Security reports for Multiple Roles
Application: Multiple Roles
Date: -
Research Description: Multiple Roles [multiple-roles] < 1.3.2 CSRF Bypass in Multiple Plugins Multiple plugins are affected by CSRF bypass as they do not properly check for the nonce due to a logic flaw. This could allow attackers to make logged in users do unwanted actions
Affected versions: max 1.3.2.
Status: vulnerable

CVE, Research URL: fcd6911d542e55de4d38ddee02a41175030b13e3
Home page URL: Security reports for Multiple Roles
Application: Multiple Roles
Date: Jul 26, 2022
Research Description: Multiple Roles [multiple-roles] < 1.3.7 Multiple Roles < 1.3.7 - Privilege Escalation The Multiple Roles plugin for WordPress is vulnerable to privilege escalation in versions before 1.3.7. This could allow authenticated attackers to escalate their privileges by updating user roles on the site.
Affected versions: max 1.3.7.
Status: vulnerable

Jun 06, 2024

CVE, Research URL: 9f69045a436b4d0afd4decf9d0a76c8e9383e9d8
Home page URL: Security reports for Multiple Roles
Application: Multiple Roles
Date: Jun 08, 2021
Research Description: Multiple Roles [multiple-roles] < 1.3.2 WordPress Multiple Roles plugin <= 1.3.1 - Cross-Site Request Forgery (CSRF) vulnerability Cross-Site Request Forgery (CSRF) vulnerability discovered by NinTechNet in WordPress Multiple Roles plugin (versions <= 1.3.1).
Affected versions: max 1.3.2.
Status: vulnerable

CVE, Research URL: -
Home page URL: Security reports for Multiple Roles
Application: Multiple Roles
Date: Jun 07, 2023
Research Description: Rejected reason: CVE split into individual CVE IDs for each software record.
Affected versions: max 1.3.1.
Status: vulnerable

CVE, Research URL: CVE-2021-4402
Home page URL: Security reports for Multiple Roles
Application: Multiple Roles
Date: Jul 01, 2023
Research Description: The Multiple Roles plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.1. This is due to missing or incorrect nonce validation on the mu_add_roles_in_signup_meta() and mu_add_roles_in_signup_meta_recently() functions. This makes it possible for unauthenticated attackers to add additional roles to users via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions: max 1.3.2.
Status: vulnerable