CVE-2020-35935

Name of the Vulnerable Software and Affected Versions: Advanced Access Manager plugin versions prior to 6.6.2 for WordPress

Description: The issue allows privilege escalation on profile updates via the aam user roles POST parameter if Multiple Role support is enabled. The mechanism for deciding whether a user was entitled to add a role did not work in various custom-role scenarios.

Recommendations: For versions prior to 6.6.2, update to version 6.6.2 or later to resolve the issue. As a temporary workaround, consider disabling the Multiple Role support feature until a patch is available. Restrict access to profile updates to minimize the risk of exploitation. Avoid using the aam user roles parameter in profile updates until the issue is resolved.