CVE-2026-0844 is a vulnerability classified under CWE-284 (Improper Access Control) found in the Simple User Registration plugin for WordPress, developed by nmedia. This plugin, widely used to facilitate user registrations on WordPress sites, contains a critical flaw in its 'profile_save_field' function. The function does not adequately restrict access to the 'wp_capabilities' parameter, which controls user roles and permissions within WordPress. As a result, authenticated users with minimal privileges, such as subscribers, can manipulate this parameter during profile updates to escalate their privileges to higher roles, including administrator. This escalation bypasses normal role assignment controls, enabling attackers to gain full control over the WordPress site. The vulnerability affects all versions up to and including 6.7 of the plugin. The CVSS v3.1 score of 8.8 indicates a high severity, with an attack vector over the network (AV:N), low attack complexity (AC:L), requiring only low privileges (PR:L), no user interaction (UI:N), and impacting confidentiality, integrity, and availability (C:H/I:H/A:H). No patches were linked at the time of reporting, and no known exploits have been observed in the wild, but the vulnerability's nature makes it a prime target for exploitation. The flaw can compromise the entire WordPress installation, potentially leading to data theft, site defacement, or use of the site as a launchpad for further attacks.

For European organizations, this vulnerability poses a significant risk, particularly for those relying on WordPress for business websites, e-commerce platforms, or internal portals. Successful exploitation can lead to full administrative access, allowing attackers to modify content, steal sensitive data, deploy malware, or disrupt services. This can result in reputational damage, regulatory non-compliance (e.g., GDPR violations due to data breaches), financial losses, and operational downtime. Public sector websites and critical infrastructure managed via WordPress are especially vulnerable, as attackers could manipulate or disable essential services. The ease of exploitation without user interaction and the ability to escalate privileges from a low-level account increase the threat level. Additionally, the widespread use of WordPress and its plugins across Europe amplifies the potential attack surface.

European organizations should immediately audit their WordPress installations to identify the presence of the Simple User Registration plugin and its version. Until an official patch is released, administrators should consider disabling or uninstalling the plugin if it is not essential. If the plugin is required, restrict user registration and profile update capabilities to trusted users only, and implement additional access control measures such as Web Application Firewalls (WAFs) with rules to block attempts to modify 'wp_capabilities' parameters. Monitoring logs for unusual profile update requests and privilege changes can help detect exploitation attempts. Organizations should also ensure WordPress core and all plugins are regularly updated and consider employing role management plugins that enforce stricter permission controls. Finally, prepare to apply vendor patches promptly once available and conduct post-patch testing to verify the vulnerability is resolved.