CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2026-34901

CVSS 9.8v3.1pub. 2026-06-15

Unauthenticated Privilege Escalation in iControlWP <= 5.5.3 versions.

🤖 AI Analysis
How it works

The vulnerability is classified as CWE-266 (Incorrect Privilege Assignment) and indicates improper privilege assignment in the plugin's logic. A remote attacker, without authentication, is able to invoke plugin functionality that results in granting higher privileges than they are entitled to. The network attack vector (AV:N) with no required complexity (AC:L) and without the need to possess an account (PR:N) makes the vulnerability trivial to exploit.

Impact

An attacker can take full control of the WordPress installation, gaining unauthorized access to sensitive data, ability to modify content, and potentially complete takeover of the server hosting the website.

Mitigation & patch

The iControlWP plugin must be immediately updated to a version newer than 5.5.3. Details regarding the patched version are available in the vendor's references and in the Patchstack database. Until the update is applied, it is recommended to deactivate or remove the plugin.

Who is affected

iControlWP plugin versions 5.5.3 and earlier for the WordPress platform.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
LPE
CWE
References