CVE-2026-7106

Name of the Vulnerable Software and Affected Versions Highland Software Custom Role Manager versions prior to 1.0.1

Description The Highland Software Custom Role Manager plugin for WordPress allows privilege escalation due to insufficient authorization checks in the hscrm save user roles() function. This function is hooked to the personal options update action, which is accessible to any authenticated user. Consequently, attackers with Subscriber-level access or higher can potentially modify user roles through the profile update form.

Recommendations Update to a version later than 1.0.0. As a temporary workaround, restrict access to the hscrm save user roles() function to prevent unauthorized role modifications.