Privilege Escalation Vulnerability in WP Extended Plugin for WordPress
CVE-2026-4314

8.8HIGH

Key Information:

Vendor: WordPress
Status: The Ultimate WordPress Toolkit – WP Extended
Vendor: CVE Published:; 22 March 2026

What is CVE-2026-4314?

The WP Extended plugin for WordPress contains a security flaw that enables privilege escalation due to a vulnerability in the Menu Editor module. Specifically, the 'isDashboardOrProfileRequest()' method employs an improperly secured check using 'strpos()' on '$_SERVER['REQUEST_URI']' to identify dashboard or profile requests. This flaw allows authenticated attackers with Subscriber-level access to manipulate requests by appending specific query parameters to admin URLs. As a result, these attackers can obtain elevated privileges, including 'manage_options', thereby enabling them to alter critical WordPress settings and create new Administrator accounts.

Affected Version(s)

The Ultimate WordPress Toolkit – WP Extended 0 <= 3.2.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wpextended/tag...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 22, 2026
Vulnerability Reserved
Mar 17, 2026

Credit

Hung Nguyen

CVE-2026-4314 Data

JSON