{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32520", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-12T11:12:19.946Z", "datePublished": "2026-03-25T16:15:07.137Z", "dateUpdated": "2026-03-25T16:15:07.137Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "rewardswp", "product": "RewardsWP", "vendor": "Andrew Munro / AffiliateWP", "versions": [{"changes": [{"at": "1.0.5", "status": "unaffected"}], "lessThanOrEqual": "<= 1.0.4", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "daroo | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:40.555Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Incorrect Privilege Assignment vulnerability in Andrew Munro / AffiliateWP RewardsWP rewardswp allows Privilege Escalation.<p>This issue affects RewardsWP: from n/a through <= 1.0.4.</p>"}], "value": "Incorrect Privilege Assignment vulnerability in Andrew Munro / AffiliateWP RewardsWP rewardswp allows Privilege Escalation.This issue affects RewardsWP: from n/a through <= 1.0.4."}], "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "Privilege Escalation"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-266", "description": "Incorrect Privilege Assignment", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:15:07.137Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/rewardswp/vulnerability/wordpress-rewardswp-plugin-1-0-4-privilege-escalation-vulnerability?_s_id=cve"}], "title": "WordPress RewardsWP plugin <= 1.0.4 - Privilege Escalation vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Incorrect Privilege Assignment vulnerability in Andrew Munro / AffiliateWP RewardsWP rewardswp allows Privilege Escalation.This issue affects RewardsWP: from n/a through <= 1.0.4."}], "id": "CVE-2026-32520", "lastModified": "2026-03-25T17:17:04.773", "metrics": {}, "published": "2026-03-25T17:17:04.773", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/rewardswp/vulnerability/wordpress-rewardswp-plugin-1-0-4-privilege-escalation-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-266"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T18:27:08.338410+00:00", "value": {"mitigation_remediation": ["Update the RewardsWP plugin to the latest version (1.0.5 or newer).", "Review all user accounts for unexpected privilege levels.", "Revoke any elevated privileges that are not required by legitimate roles.", "Monitor WordPress logs for unusual permission changes or new administrator accounts."], "summary": {"action": "Patch Immediately", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "Andrew Munro / AffiliateWP RewardsWP is provided as a WordPress plugin. The flaw exists in all releases up to and including version 1.0.4. Sites running any of those versions are susceptible. No further version details are provided, so any instance of 1.0.4 or older should be considered affected.", "description_and_impact": "The RewardsWP plugin contains an incorrect privilege assignment flaw that lets a user obtain higher privileges than they should have. This vulnerability, classified under CWE-266, enables an attacker to gain privileges beyond the scope of their current role, potentially reaching full administrator rights on the WordPress site. If exploited, the attacker could modify site settings, create or delete content, or compromise other plugins and themes.", "risk_and_exploitability": "The CVSS score is not supplied, but the nature of a privilege escalation means the potential impact is significant, as it can affect the entire WordPress installation. The EPSS score is not available, and the vulnerability is not listed in the KEV catalog. The attack vector is likely through the plugin\u2019s administrative interface; an attacker with a low\u2011privilege role could use the bug to elevate themselves. Exploitation requires the plugin to be active and the user to have access to the WordPress dashboard or the plugin\u2019s settings page."}}}}, "created": "2026-03-25T21:47:19.976814+00:00", "updated": "2026-03-25T21:47:19.976847+00:00", "vendors": []}