Skip to main content

Rewardswp CVE-2026-32520

| EUVDEUVD-2026-15884 CRITICAL
Incorrect Privilege Assignment (CWE-266)
2026-03-25 Patchstack GHSA-j7j8-2m3c-hf7j
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15884
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:15 nvd
CRITICAL 9.8

DescriptionCVE.org

Incorrect Privilege Assignment vulnerability in Andrew Munro / AffiliateWP RewardsWP rewardswp allows Privilege Escalation.This issue affects RewardsWP: from n/a through <= 1.0.4.

AnalysisAI

RewardsWP, a WordPress plugin by Andrew Munro/AffiliateWP, contains an Incorrect Privilege Assignment vulnerability (CWE-266) that allows authenticated or unauthenticated attackers to escalate their privileges within the plugin and potentially the WordPress installation. Affected versions are RewardsWP up to and including 1.0.4. This vulnerability enables privilege escalation attacks, allowing attackers with limited access to gain elevated permissions and control over reward or affiliate functionality.

Technical ContextAI

RewardsWP is a WordPress plugin (CPE: cpe:2.3:a:andrew_munro_/_affiliatewp:rewardswp:*:*:*:*:*:*:*:*) that manages rewards and affiliate incentives. The vulnerability stems from CWE-266 (Incorrect Privilege Assignment), a weakness where the plugin fails to properly validate or enforce capability checks when assigning user roles or permissions. Rather than verifying that a user possesses the appropriate WordPress capabilities before granting elevated access, the plugin may assign privileges directly based on insufficient input validation or missing authorization checks. This is particularly critical in WordPress contexts where capability-based access control is fundamental to security architecture.

RemediationAI

Immediately upgrade RewardsWP to a patched version beyond 1.0.4 if available; consult the vendor's advisory via Patchstack at https://patchstack.com/database/Wordpress/Plugin/rewardswp/vulnerability/wordpress-rewardswp-plugin-1-0-4-privilege-escalation-vulnerability for the specific patched version number and installation instructions. Until an upgrade is possible, implement capability-based access control restrictions at the WordPress level by auditing user roles and capabilities using the native WordPress Role Editor, limit plugin admin pages to trusted user roles only via .htaccess or security plugins, and monitor WordPress user and capability changes via audit logging. If the plugin is not essential, consider deactivating and removing it until a patch is confirmed available.

Share

CVE-2026-32520 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy