The Spectra Pro plugin for WordPress contains a privilege escalation vulnerability (CWE-269) in all versions up to and including 1.1.5. Authenticated users with author-level access or above can exploit this flaw by creating registration forms that set the default user role to administrator. This bypasses intended privilege restrictions and allows unauthorized creation of administrator accounts. The vulnerability has a CVSS 3.1 base score of 8.8, reflecting its network attack vector, low attack complexity, and high impact on confidentiality, integrity, and availability.

Successful exploitation results in unauthorized privilege escalation, granting attacker-controlled accounts full administrator rights on the affected WordPress site. This can lead to complete site compromise, including data theft, site defacement, or further malicious activity. There are no known exploits in the wild at this time.

Patch status is not yet confirmed — no official patch or remediation guidance is currently available from the vendor. Users should monitor Brainstorm Force advisories for updates and consider restricting author-level user capabilities as a temporary mitigation until a fix is released.