Skip to main content

iControlWP CVE-2026-34901

| EUVDEUVD-2026-36922 CRITICAL
Incorrect Privilege Assignment (CWE-266)
2026-06-15 Patchstack GHSA-65qj-xmm4-g884
9.8
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Plugin endpoint is reachable over the network with no auth or user interaction, and administrator takeover yields full confidentiality, integrity, and availability impact on the WordPress site.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 22:36 vuln.today

DescriptionCVE.org

Unauthenticated Privilege Escalation in iControlWP <= 5.5.3 versions.

AnalysisAI

Unauthenticated privilege escalation in iControlWP WordPress plugin versions 5.5.3 and earlier allows remote attackers to gain elevated privileges on affected WordPress sites without authentication. Reported by Patchstack and rated CVSS 9.8, the flaw maps to CWE-266 (Incorrect Privilege Assignment) and impacts the worpit-admin-dashboard-plugin distribution. No public exploit identified at time of analysis and the vulnerability is not currently listed in CISA KEV.

Technical ContextAI

iControlWP (formerly Worpit Admin Dashboard Plugin) is a WordPress management plugin authored by 'paul' (CPE cpe:2.3:a:paul:icontrolwp) that enables remote administration of WordPress sites from a central dashboard. CWE-266 (Incorrect Privilege Assignment) indicates the plugin assigns privileges to a user or session in a way that does not properly enforce intended access controls - typically due to missing capability checks, flawed nonce/token validation, or incorrect role assignment logic in a privileged AJAX/REST endpoint. Because such management plugins commonly expose endpoints that mediate site control actions, a missing authorization check on one of these endpoints would allow an unauthenticated request to acquire administrator-equivalent capabilities.

RemediationAI

No vendor-released fixed version is independently confirmed in the available data, so consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/worpit-admin-dashboard-plugin/vulnerability/wordpress-icontrolwp-plugin-5-5-3-privilege-escalation-vulnerability for the current patched release and upgrade beyond 5.5.3 as soon as one is published. Until a patched version is installed, deactivate and remove the iControlWP plugin on affected WordPress sites (this disables remote management via the iControlWP dashboard, so operators relying on it must temporarily use direct wp-admin access), or place the site behind a WAF rule that blocks unauthenticated requests to the plugin's admin-ajax.php and REST endpoints (which may break legitimate iControlWP central-dashboard calls). Restricting access to /wp-admin and /wp-json to known IPs is an additional compensating control with the trade-off of breaking remote management from unlisted networks.

Share

CVE-2026-34901 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy