CVE-2025-12158 | Simple User Capabilities <= 1.0 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation
The Simple User Capabilities plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the suc_submit_capabilities() function in all versions up to, and including, 1.0. This makes it possible for unauthenticated attackers to elevate the role of any user account to administrator.
Conclusion & alert: CVE-2025-12158 is rated Moderate Risk (49.3/100): CVSS Critical severity, with low exploitation likelihood (EPSS 0.37%).Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
Exploit prediction scoring system (EPSS) score for CVE-2025-12158
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).