Privilege Escalation Vulnerability in Highland Software Custom Role Manager for WordPress
CVE-2026-7106

8.8HIGH

Key Information:

Vendor: WordPress
Status: Highland Software Custom Role Manager
Vendor: CVE Published:; 27 April 2026

What is CVE-2026-7106?

The Highland Software Custom Role Manager plugin for WordPress contains a vulnerability that allows for Privilege Escalation. This issue arises from inadequate authorization checks within the hscrm_save_user_roles() function, which is triggered by the personal_options_update action. As a result, authenticated users with at least Subscriber-level access may exploit this flaw to alter user roles through the profile update form, potentially compromising user permissions and increasing security risks.

Affected Version(s)

Highland Software Custom Role Manager 0 <= 1.0.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/highland-softw...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 27, 2026
Vulnerability Reserved
Apr 26, 2026

Credit

Herc Bandiola

CVE-2026-7106 Data

JSON