CVE-2025-22736: 
WordPress vulnerability analysis and mitigation

A privilege escalation vulnerability was discovered in WPExperts User Management WordPress plugin, identified as CVE-2025-22736. The vulnerability affects versions through 1.2 of the User Management plugin and was disclosed on January 14, 2025. The issue is classified as an Incorrect Privilege Assignment vulnerability that could allow unauthorized privilege escalation for authenticated users with Subscriber or higher privileges (Patchstack).

The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. It is categorized under CWE-266 (Incorrect Privilege Assignment). The vulnerability requires an authenticated user with at least Subscriber level access to exploit (NVD, Patchstack).

The vulnerability could allow malicious actors to escalate their low-privileged account to one with higher privileges. If successfully exploited, attackers could potentially gain full control of the website if high privileges are obtained (Patchstack).

As of January 22, 2025, no official fix is available for this vulnerability. Patchstack has issued a virtual patch to mitigate the issue by blocking potential attacks until an official fix becomes available. Website administrators are advised to implement mitigation measures immediately (Patchstack).