Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Unauthenticated network-reachable privilege escalation in WordPress typically yields administrator capability, which is full site compromise - justifying C:H/I:H/A:H rather than the conservative L/L/L in the supplied vector.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Privilege Escalation in Listdom <= 5.5.0 versions.
AnalysisAI
Unauthenticated privilege escalation in the Listdom WordPress plugin versions 5.5.0 and earlier allows remote attackers to elevate privileges without any authentication or user interaction. The flaw is tracked under CWE-266 (Incorrect Privilege Assignment) and was reported by Patchstack; no public exploit identified at time of analysis. Affected sites running this Webilia-developed directory listing plugin face risk of unauthorized account or capability elevation through exposed plugin endpoints.
Technical ContextAI
Listdom is a WordPress directory and listing plugin published by Webilia Inc. (CPE cpe:2.3:a:webilia_inc.:listdom). The root cause is classified as CWE-266 (Incorrect Privilege Assignment), a weakness class where the application grants a user privileges that exceed those intended for their role - typically because a plugin-exposed action, AJAX handler, or REST endpoint fails to verify the caller's capability before assigning roles, modifying user meta, or performing privileged operations. In the WordPress plugin ecosystem this commonly manifests as nonce/capability checks being absent on hooks reachable by anonymous visitors, allowing unprivileged callers to invoke logic intended for administrators.
RemediationAI
Upstream fix available per Patchstack advisory; released patched version not independently confirmed from the supplied data - administrators should check the Listdom plugin page on wordpress.org and the vendor changelog for a release later than 5.5.0 and upgrade immediately, consulting https://patchstack.com/database/wordpress/plugin/listdom/vulnerability/wordpress-listdom-plugin-5-5-0-privilege-escalation-vulnerability for advisory details. Until a confirmed fixed version is installed, compensating controls include deactivating the Listdom plugin entirely (trade-off: directory/listing pages will be unavailable), restricting access to wp-admin/admin-ajax.php and the WP REST API for Listdom routes via a WAF rule or virtual patch (trade-off: legitimate front-end calls into Listdom AJAX handlers may break and require allowlisting), and auditing the wp_users and wp_usermeta tables for unexpected role assignments or new administrator accounts created since the plugin was installed.
Same weakness CWE-266 – Incorrect Privilege Assignment
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36871
GHSA-g5vj-vrxx-7p65