cleantalk
Vulnerabilities and Security Researches

PublishPress Capabilities – User Role Editor, Access Permissions, Admin Menus, CVE-2021-25032

CVE, Research URL

CVE-2021-25032

Home page URL

Security reports for PublishPress Capabilities – User Role Editor, Access Permissions, Admin Menus

Application

PublishPress Capabilities – User Role Editor, Access Permissions, Admin Menus

Published on
Jan 10, 2022
Research Description
The PublishPress Capabilities WordPress plugin before 2.3.1, PublishPress Capabilities Pro WordPress plugin before 2.3.1 does not have authorisation and CSRF checks when updating the plugin's settings via the init hook, and does not ensure that the options to be updated belong to the plugin. As a result, unauthenticated attackers could update arbitrary blog options, such as the default role and make any new registered user with an administrator role.
Affected versions
max 2.3.1.
Status
vulnerable
Previous vulnerability researches
PublishPress Capabilities – User Role Editor, Access Permissions, Admin Menus (CVE-2026-32394) , Mar 30, 2026
PublishPress Capabilities – User Role Editor, Access Permissions, Admin Menus (CVE-2022-3366) , Jun 07, 2024
PublishPress Capabilities – User Role Editor, Access Permissions, Admin Menus (CVE-2021-25032) , Jun 07, 2024
New vulnerability
PublishPress Revisions: Duplicate Posts, Submit, Approve and Schedule Content Changes (CVE-2026-32539) , Mar 30, 2026
Kargo Takip (CVE-2026-25365) , Mar 30, 2026
Magical Addons For Elementor ( Header Footer Builder, Free Elementor Widgets, Elementor Templates Library ) (CVE-2026-32429) , Mar 30, 2026
Pochipp (CVE-2026-32417) , Mar 30, 2026
Contact Manager (CVE-2026-32517) , Mar 30, 2026