Skip to main content

Houzez Login Register CVE-2026-57768

| EUVDEUVD-2026-43389 HIGH
Incorrect Privilege Assignment (CWE-266)
2026-07-13 Patchstack
8.2
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
vuln.today AI
8.2 HIGH

Registration-flow role elevation is remotely reachable with low complexity and no prior privileges (PR:N); integrity impact is high from gained role, confidentiality only low, availability unaffected.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 13, 2026 - 10:37 vuln.today
CVE Published
Jul 13, 2026 - 08:41 cve.org
HIGH 8.2

DescriptionCVE.org

Incorrect Privilege Assignment vulnerability in favethemes Houzez Login Register houzez-login-register allows Privilege Escalation.This issue affects Houzez Login Register: from n/a through <= 3.3.3.

AnalysisAI

Privilege escalation in the Houzez Login Register WordPress plugin (versions up to and including 3.3.3) lets remote attackers obtain a higher-privileged role than intended due to incorrect privilege assignment (CWE-266). Reported by Patchstack with a CVSS 8.2 (high) score, the flaw carries a network vector with no privileges or user interaction required and a high integrity impact. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach public registration endpoint
Delivery
Submit crafted role-assignment request
Exploit
Plugin assigns elevated privilege
Execution
Log in as privileged user
Impact
Modify site content or settings

Vulnerability AssessmentAI

Exploitation Exploitation requires that the Houzez Login Register plugin (version ≤ 3.3.3) be installed and that its registration/role-assignment feature be reachable - in practice a WordPress site running Houzez with the plugin's public login/registration forms enabled. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The Patchstack-supplied CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N, 8.2) describes a low-complexity, network-reachable, unauthenticated path with high integrity impact and only limited confidentiality impact - consistent with a registration-time role-elevation rather than data theft. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A remote attacker navigates to the plugin's public registration flow and submits a crafted request that manipulates the role or capability assignment, causing the newly created account to be granted a higher-privileged WordPress role than intended. With that elevated role the attacker can alter site content or settings; because integrity impact is rated high, this can lead to defacement, malicious content injection, or further compromise. …
Remediation Upgrade the Houzez Login Register plugin to the first release above 3.3.3 as published by favethemes; the input confirms 3.3.3 and earlier are affected but does not include an exact fixed version, so released patched version is not independently confirmed - consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/houzez-login-register/vulnerability/wordpress-houzez-login-register-plugin-3-3-3-privilege-escalation-vulnerability) and the favethemes changelog for the exact fixed build before deploying. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, audit all WordPress installations for Houzez Login Register plugin presence and version; compile inventory of affected sites. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57768 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy