The vulnerability identified as CVE-2026-0912 affects the Toret Manager plugin for WordPress, specifically all versions up to and including 1.2.7. The root cause is improper privilege management (CWE-269) due to missing capability checks in two key functions: 'trman_save_option' and 'trman_save_option_items'. These functions are responsible for saving plugin options but do not verify whether the user has sufficient privileges to perform these actions. Consequently, any authenticated user with at least Subscriber-level access can invoke these functions to modify arbitrary WordPress options. A critical exploitation vector involves changing the 'default_role' option to 'administrator' and enabling user registration, which allows attackers to create new administrator accounts without authorization. This leads to full site compromise, including the ability to execute arbitrary code, steal data, or disrupt site availability. The vulnerability is remotely exploitable over the network without user interaction and requires only low privileges, making it highly accessible to attackers. The CVSS 3.1 score of 8.8 reflects the high impact on confidentiality, integrity, and availability, combined with ease of exploitation. Although no public exploits are currently known, the vulnerability poses a significant risk given the widespread use of WordPress and the Toret Manager plugin in various organizational websites. The lack of an official patch at the time of reporting increases the urgency for mitigation.

For European organizations, this vulnerability can lead to complete compromise of WordPress-based websites that use the Toret Manager plugin. Attackers gaining administrative access can manipulate website content, steal sensitive user data, deploy malware, or use the site as a pivot point for further network attacks. Organizations relying on WordPress for customer-facing portals, e-commerce, or internal communications face risks to their reputation, regulatory compliance (e.g., GDPR), and operational continuity. The ability to escalate privileges from a low-level account means that even minimally privileged users or compromised subscriber accounts can lead to full site takeover. This is particularly concerning for sectors with high-value targets such as finance, healthcare, government, and critical infrastructure within Europe. Additionally, the vulnerability could be exploited to distribute misinformation or conduct phishing campaigns using compromised legitimate websites. The absence of known exploits does not diminish the threat, as the vulnerability is straightforward to exploit and may be targeted in the near future.

European organizations should immediately audit their WordPress installations to identify the presence of the Toret Manager plugin and verify its version. Until an official patch is released, administrators should consider disabling or uninstalling the plugin to eliminate the attack surface. Restricting user registration and limiting Subscriber-level access can reduce exposure. Implementing Web Application Firewalls (WAFs) with custom rules to detect and block requests invoking 'trman_save_option' or 'trman_save_option_items' functions can provide temporary protection. Regularly monitoring WordPress logs for suspicious option changes or new administrator accounts is critical for early detection. Organizations should also enforce strong authentication and consider multi-factor authentication for all administrative accounts to mitigate the impact of potential compromises. Finally, maintaining up-to-date backups and having an incident response plan tailored to WordPress compromises will aid in rapid recovery if exploitation occurs.