CVE-2026-4297 is a missing authorization vulnerability in the Welcome Software Publishing WordPress plugin (up to and including version 0.0.31). The nc_setOption() function, accessible via the nc.setOption XML-RPC method, authenticates users but fails to perform an authorization check such as current_user_can('manage_options'). This flaw enables authenticated users with low privileges (Subscriber and above) to update arbitrary WordPress options, including the critical default_role option. By setting default_role to 'administrator', attackers can register new administrator accounts, resulting in full privilege escalation and site takeover. The vulnerability has a CVSS 3.1 score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). No official patch or remediation level is indicated in the available data.

An attacker with authenticated access at Subscriber level or higher can exploit this vulnerability to escalate privileges to administrator by modifying WordPress options via XML-RPC. This leads to complete site compromise, including confidentiality, integrity, and availability impacts. The vulnerability allows arbitrary options updates without proper authorization checks, enabling attackers to create new administrator accounts and fully control the affected WordPress site.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict or disable XML-RPC access if possible to mitigate exploitation risk. Monitor for suspicious account creation or option changes. Avoid granting unnecessary authenticated access to untrusted users.