Vulnerabilities and security researches foruser-role-editor user-role-editor

Jun 06, 2024

CVE, Research URL: f814ebd7f3c5283e94417912def596f19b5b9156
Home page URL: Security reports for User Role Editor
Application: User Role Editor
Date: Apr 05, 2016
Research Description: User Role Editor [user-role-editor] < 3.13 (closed) WordPress User Role Editor Plugin <= 4.24 - Privilege Escalation Because of this vulnerability, any registered user can gain administrator access. Upgrade the plugin.
Affected versions: max 3.13.
Status: vulnerable

Dec 18, 2024

CVE, Research URL: CVE-2024-12293
Home page URL: Security reports for User Role Editor
Application: User Role Editor
Date: Dec 17, 2024
Research Description: The User Role Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.64.3. This is due to missing or incorrect nonce validation on the update_roles() function. This makes it possible for unauthenticated attackers to add or remove roles for arbitrary users, including escalating their privileges to administrator, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions: max 4.64.4.
Status: vulnerable

Feb 16, 2026

PSC, Research URL: PSC-2026-64609
Home page URL: Security reports for User Role Editor
Application: User Role Editor
Date: Feb 16, 2026
Research Description: User Role Editor v4.64.6 is a widely used WordPress administration plugin that lets site owners manage roles and capabilities through a clear checkbox based interface, making it easy to add, remove, clone, and delete roles while also supporting per user capability assignments and multisite networks. Because role and capability management directly governs access control across WordPress, any weakness in implementation could have severe impact, including unauthorized privilege changes or admin takeover paths. User Role Editor has passed CleanTalk Plugin Security Certification under PSC-2026-64609, confirming that the plugin was assessed for secure coding practices and validated against major vulnerability classes.
Affected versions: Min 4.64.6, max 4.64.6.
Status: SAFE & CERTIFIED