Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Plugin endpoint is reachable over the network with no auth or user interaction, and administrator takeover yields full confidentiality, integrity, and availability impact on the WordPress site.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Privilege Escalation in iControlWP <= 5.5.3 versions.
AnalysisAI
Unauthenticated privilege escalation in iControlWP WordPress plugin versions 5.5.3 and earlier allows remote attackers to gain elevated privileges on affected WordPress sites without authentication. Reported by Patchstack and rated CVSS 9.8, the flaw maps to CWE-266 (Incorrect Privilege Assignment) and impacts the worpit-admin-dashboard-plugin distribution. No public exploit identified at time of analysis and the vulnerability is not currently listed in CISA KEV.
Technical ContextAI
iControlWP (formerly Worpit Admin Dashboard Plugin) is a WordPress management plugin authored by 'paul' (CPE cpe:2.3:a:paul:icontrolwp) that enables remote administration of WordPress sites from a central dashboard. CWE-266 (Incorrect Privilege Assignment) indicates the plugin assigns privileges to a user or session in a way that does not properly enforce intended access controls - typically due to missing capability checks, flawed nonce/token validation, or incorrect role assignment logic in a privileged AJAX/REST endpoint. Because such management plugins commonly expose endpoints that mediate site control actions, a missing authorization check on one of these endpoints would allow an unauthenticated request to acquire administrator-equivalent capabilities.
RemediationAI
No vendor-released fixed version is independently confirmed in the available data, so consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/worpit-admin-dashboard-plugin/vulnerability/wordpress-icontrolwp-plugin-5-5-3-privilege-escalation-vulnerability for the current patched release and upgrade beyond 5.5.3 as soon as one is published. Until a patched version is installed, deactivate and remove the iControlWP plugin on affected WordPress sites (this disables remote management via the iControlWP dashboard, so operators relying on it must temporarily use direct wp-admin access), or place the site behind a WAF rule that blocks unauthenticated requests to the plugin's admin-ajax.php and REST endpoints (which may break legitimate iControlWP central-dashboard calls). Restricting access to /wp-admin and /wp-json to known IPs is an additional compensating control with the trade-off of breaking remote management from unlisted networks.
Same weakness CWE-266 – Incorrect Privilege Assignment
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36922
GHSA-65qj-xmm4-g884