Skip to main content

MailerPress CVE-2026-57410

| EUVDEUVD-2026-43482 HIGH
Incorrect Privilege Assignment (CWE-266)
2026-07-13 Patchstack
8.8
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Any authenticated low-privilege user can escalate over the network with no interaction (PR:L, AV:N, AC:L), and successful escalation yields full C/I/A impact within an unchanged scope.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 13, 2026 - 10:56 vuln.today
CVE Published
Jul 13, 2026 - 08:41 cve.org
HIGH 8.8

DescriptionCVE.org

Incorrect Privilege Assignment vulnerability in MailerPress Team MailerPress mailerpress allows Privilege Escalation.This issue affects MailerPress: from n/a through <= 2.0.2.

AnalysisAI

Privilege escalation in the MailerPress WordPress plugin (versions up to and including 2.0.2) lets an authenticated low-privilege user gain higher privileges through an incorrect privilege assignment flaw. The CVSS 3.1 vector (AV:N/AC:L/PR:L) indicates a network-reachable, low-complexity attack that any authenticated user can perform, yielding full confidentiality, integrity, and availability impact - effectively a takeover of the plugin's protected functionality or the WordPress site. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege WordPress account
Delivery
Reach vulnerable plugin endpoint
Exploit
Trigger incorrect privilege assignment
Execution
Escalate to administrator role
Impact
Take over site

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to already hold a valid authenticated WordPress account on the target site (CVSS PR:L), so the practical prerequisite is either an existing low-privilege account or a site configured to permit open user self-registration; no user interaction and no elevated privileges are needed beyond that initial login. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The reported CVSS base score is 8.8 (High), driven by network vector, low complexity, no user interaction, and only low privileges required - meaning any authenticated account (potentially a self-registered subscriber on sites allowing open registration) can exploit it, and the S:U/C:H/I:H/A:H metrics imply full compromise of the plugin's protected scope or the site. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or obtains a low-privilege WordPress account (e.g., subscriber) on a site running MailerPress <= 2.0.2, then invokes the vulnerable plugin action that lacks a proper capability check to assign themselves elevated privileges. With administrative-level access they can install malicious plugins, modify content, or exfiltrate data, achieving full site compromise. …
Remediation No specific vendor-released fix version is stated in the available data, so no patched version can be independently confirmed here; consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/mailerpress/vulnerability/wordpress-mailerpress-plugin-2-0-2-privilege-escalation-vulnerability?_s_id=cve) and the WordPress.org plugin page for the first release above 2.0.2 and upgrade to it as the primary remediation. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, inventory all WordPress installations using MailerPress and identify those running version 2.0.2 or earlier; disable the plugin on production systems if functionality is not critical, or restrict administrative access to trusted administrators only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57410 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy