CVE-2025-3418HIGH 8.8EPSS p25.5%

CVE-2025-3418CVE-2025-3418

Description

The WPC Admin Columns plugin for WordPress is vulnerable to privilege escalation in versions 2.0.6 to 2.1.0. This is due to the plugin not properly restricting user meta values that can be updated through the ajax_edit_save() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update their role to that of an administrator.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.34% probability of exploitation · percentile 25.5% · 2026-06-19T12:03:05Z
Published2025-04-12
Last modified2026-04-15

Underlying weaknesses· 1

CWE-269

References

  1. https://plugins.trac.wordpress.org/changeset/3269302/wpc-admin-columns/trunk/includes/class-backend.php
  2. https://www.wordfence.com/threat-intel/vulnerabilities/id/6145e2d7-c917-4814-a13e-6d34088cb784?source=cve

1

TypeTargetConfidenceTier
WeaknessImproper Privilege Managementcwe-2690%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-3101
CVE
CVE-2025-14866
CVE
CVE-2025-6366
CVE
CVE-2025-7722
CVE
CVE-2025-1653
CVE
CVE-2025-3417
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.