Skip to main content

CVE-2025-52836

CRITICAL
Incorrect Privilege Assignment (CWE-266)
2025-07-16 audit@patchstack.com
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
CVSS changed
Apr 23, 2026 - 15:42 NVD
9.8 (CRITICAL)
Analysis Generated
Apr 01, 2026 - 17:43 vuln.today
CVE Published
Jul 16, 2025 - 12:15 nvd
N/A

DescriptionCVE.org

Incorrect Privilege Assignment vulnerability in Unity Business Technology Pty Ltd The E-Commerce ERP profitori allows Privilege Escalation.This issue affects The E-Commerce ERP: from n/a through <= 2.1.1.3.

AnalysisAI

Privilege escalation in Unity Business Technology's E-Commerce ERP plugin (profitori) through version 2.1.1.3 allows attackers to gain elevated permissions due to incorrect privilege assignment. The vulnerability affects the WordPress plugin with EPSS exploitation probability at 0.09%, indicating low real-world exploitation likelihood despite the privilege escalation impact. No public exploit code or active exploitation (KEV status) has been confirmed.

Technical ContextAI

The vulnerability stems from CWE-266 (Incorrect Privilege Assignment), a fundamental access control weakness where the application fails to properly validate or enforce privilege boundaries. In the context of the E-Commerce ERP WordPress plugin, this likely manifests as improper capability checks or role-based access control (RBAC) implementation, enabling lower-privileged users or unauthenticated actors to perform administrative functions. The profitori plugin operates within WordPress's permission model, where incorrect use of current_user_can() checks or failure to properly sanitize user roles creates the exploitation vector.

Affected ProductsAI

The E-Commerce ERP (profitori) plugin for WordPress, maintained by Unity Business Technology Pty Ltd, is affected in all versions from the initial release through version 2.1.1.3. The vulnerability is identified in the WordPress plugin repository listing at patchstack.com for the profitori plugin. No CPE string is available from provided data.

RemediationAI

Update the profitori plugin to a version newer than 2.1.1.3. As of the analysis date, users should check the WordPress plugin repository or the vendor's advisory at https://patchstack.com/database/Wordpress/Plugin/profitori/vulnerability/wordpress-the-e-commerce-erp-2-1-1-3-privilege-escalation-vulnerability for the patched release version. Until patching is possible, restrict plugin access to trusted administrators only and consider temporarily disabling the plugin if the privilege escalation impact is unacceptable for your environment.

Share

CVE-2025-52836 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy