CVE-2021-25032

Name of the Vulnerable Software and Affected Versions PublishPress Capabilities WordPress plugin versions prior to 2.3.1 PublishPress Capabilities Pro WordPress plugin versions prior to 2.3.1

Description The issue concerns a lack of authorization and CSRF checks when updating plugin settings via the init hook. This allows unauthenticated attackers to update arbitrary blog options, such as the default role, potentially making any new registered user an administrator.

Recommendations For PublishPress Capabilities WordPress plugin versions prior to 2.3.1, update to version 2.3.1 or later. For PublishPress Capabilities Pro WordPress plugin versions prior to 2.3.1, update to version 2.3.1 or later.