CVE-2026-0844 is a vulnerability classified under CWE-284 (Improper Access Control) found in the Simple User Registration plugin for WordPress, developed by nmedia. This plugin is widely used to facilitate user registrations on WordPress sites. The vulnerability exists in the 'profile_save_field' function, which insufficiently restricts the modification of user roles. Specifically, authenticated users with minimal privileges, such as subscribers, can exploit this flaw by supplying the 'wp_capabilities' parameter during profile updates, effectively escalating their privileges to higher roles like administrators. This bypasses intended access controls and allows attackers to gain unauthorized administrative access. The vulnerability affects all versions up to and including 6.7 of the plugin. The CVSS v3.1 base score is 8.8, indicating a high severity with attack vector being network-based, low attack complexity, requiring only low privileges, no user interaction, and impacting confidentiality, integrity, and availability. Although no public exploits have been reported yet, the vulnerability's nature makes it a critical concern for WordPress sites using this plugin. The lack of an official patch at the time of reporting necessitates immediate mitigation steps to prevent exploitation.

The impact of CVE-2026-0844 is significant for organizations running WordPress sites with the vulnerable Simple User Registration plugin. Successful exploitation allows attackers with minimal privileges to escalate their access to administrative levels, compromising the entire website's confidentiality, integrity, and availability. This can lead to unauthorized data access, website defacement, insertion of malicious code, data theft, and potential use of the compromised site as a launchpad for further attacks. Organizations relying on this plugin for user management face risks of complete site takeover, loss of customer trust, regulatory penalties due to data breaches, and operational disruptions. Given WordPress's extensive use globally, the vulnerability poses a widespread threat, especially to small and medium-sized businesses that may lack robust security monitoring.

Until an official patch is released, organizations should implement the following mitigations: 1) Restrict access to user profile update functionalities by limiting authenticated user roles to only those necessary; 2) Employ Web Application Firewalls (WAFs) with custom rules to detect and block attempts to modify the 'wp_capabilities' parameter in profile update requests; 3) Monitor logs for unusual privilege escalation attempts or unexpected changes in user roles; 4) Temporarily disable or replace the Simple User Registration plugin with alternative secure user registration solutions; 5) Enforce the principle of least privilege across all user accounts and regularly audit user roles; 6) Keep WordPress core and all plugins updated and subscribe to security advisories from the plugin vendor and WordPress security communities; 7) Implement multi-factor authentication for administrative accounts to reduce risk if privilege escalation occurs.