EUVD-2026-14009
GHSA-3wp4-fj34-73v5
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Description
The Linksy Search and Replace plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'linksy_search_and_replace_item_details' function in all versions up to, and including, 1.0.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to update any database table, any value, including the wp_capabilities database field, which allows attackers to change their own role to administrator, which leads to privilege escalation.
Analysis
The Linksy Search and Replace plugin for WordPress versions up to 1.0.4 contains a missing capability check vulnerability that allows authenticated attackers with subscriber-level access or higher to modify arbitrary database tables. Attackers can exploit this to elevate their privileges to administrator by modifying the wp_capabilities field, achieving complete site takeover. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all WordPress installations using Linksy Search and Replace plugin and disable or remove the plugin immediately. Within 7 days: Audit user access logs and WordPress user roles for suspicious privilege escalations; reset credentials for all administrative accounts as a precaution. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today