Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Network-reachable XML-RPC endpoint, low complexity, requires any authenticated Subscriber (PR:L), no UI; arbitrary options update yields full admin takeover so C/I/A:H.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
The Welcome Software Publishing plugin for WordPress is vulnerable to Arbitrary Options Update in all versions up to and including 0.0.31. This is due to a missing capability check in the nc_setOption() function, which is exposed via the nc.setOption XML-RPC method. The function authenticates the user via $wp_xmlrpc_server->login() (verifying credentials are valid) but does not perform any authorization check such as current_user_can('manage_options'). This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary WordPress options via XML-RPC requests. This can be leveraged to change the default_role option to 'administrator' and then register a new administrator account, achieving full privilege escalation and site takeover.
Articles & Coverage 1
AnalysisAI
Privilege escalation in the Welcome Software Publishing WordPress plugin (versions ≤ 0.0.31) allows any authenticated user with Subscriber-level access or above to update arbitrary WordPress options via the nc.setOption XML-RPC method. By modifying the default_role option to 'administrator' and registering a new account, attackers achieve full site takeover. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires (1) the newscred-publishing plugin installed and active on the target WordPress site, (2) XML-RPC enabled (the WordPress default), and (3) valid credentials for any account with Subscriber-level role or higher - obtainable trivially on sites that permit open user registration, or via credential reuse/phishing otherwise. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS 8.8 (High) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H accurately reflects the impact: any low-privilege authenticated user can fully take over the site over the network with low complexity and no user interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers a free Subscriber account on a target WordPress site that allows open registration (or compromises any existing low-privilege account via credential stuffing). They send an authenticated XML-RPC request invoking nc.setOption to change default_role from 'subscriber' to 'administrator', then use the standard wp-login.php?action=register flow to create a second account that is automatically granted administrator privileges, achieving full site takeover within seconds. |
| Remediation | No vendor-released patch identified at time of analysis - no fix version is listed in the available references, only the vulnerable 0.0.31 source. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Disable and remove the Welcome Software Publishing plugin immediately; audit all administrator accounts for unauthorized additions created via XML-RPC; analyze web server and WordPress logs for nc.setOption calls. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38664
GHSA-xgj6-m977-pghj