Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Incorrect Privilege Assignment vulnerability in Andrew Munro / AffiliateWP RewardsWP rewardswp allows Privilege Escalation.This issue affects RewardsWP: from n/a through <= 1.0.4.
AnalysisAI
RewardsWP, a WordPress plugin by Andrew Munro/AffiliateWP, contains an Incorrect Privilege Assignment vulnerability (CWE-266) that allows authenticated or unauthenticated attackers to escalate their privileges within the plugin and potentially the WordPress installation. Affected versions are RewardsWP up to and including 1.0.4. This vulnerability enables privilege escalation attacks, allowing attackers with limited access to gain elevated permissions and control over reward or affiliate functionality.
Technical ContextAI
RewardsWP is a WordPress plugin (CPE: cpe:2.3:a:andrew_munro_/_affiliatewp:rewardswp:*:*:*:*:*:*:*:*) that manages rewards and affiliate incentives. The vulnerability stems from CWE-266 (Incorrect Privilege Assignment), a weakness where the plugin fails to properly validate or enforce capability checks when assigning user roles or permissions. Rather than verifying that a user possesses the appropriate WordPress capabilities before granting elevated access, the plugin may assign privileges directly based on insufficient input validation or missing authorization checks. This is particularly critical in WordPress contexts where capability-based access control is fundamental to security architecture.
RemediationAI
Immediately upgrade RewardsWP to a patched version beyond 1.0.4 if available; consult the vendor's advisory via Patchstack at https://patchstack.com/database/Wordpress/Plugin/rewardswp/vulnerability/wordpress-rewardswp-plugin-1-0-4-privilege-escalation-vulnerability for the specific patched version number and installation instructions. Until an upgrade is possible, implement capability-based access control restrictions at the WordPress level by auditing user roles and capabilities using the native WordPress Role Editor, limit plugin admin pages to trusted user roles only via .htaccess or security plugins, and monitor WordPress user and capability changes via audit logging. If the plugin is not essential, consider deactivating and removing it until a patch is confirmed available.
Same weakness CWE-266 – Incorrect Privilege Assignment
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15884
GHSA-j7j8-2m3c-hf7j