Unauthenticated Privilege Escalation in iControlWP <= 5.5.3 versions.
The vulnerability is classified as CWE-266 (Incorrect Privilege Assignment) and indicates improper privilege assignment in the plugin's logic. A remote attacker, without authentication, is able to invoke plugin functionality that results in granting higher privileges than they are entitled to. The network attack vector (AV:N) with no required complexity (AC:L) and without the need to possess an account (PR:N) makes the vulnerability trivial to exploit.
An attacker can take full control of the WordPress installation, gaining unauthorized access to sensitive data, ability to modify content, and potentially complete takeover of the server hosting the website.
The iControlWP plugin must be immediately updated to a version newer than 5.5.3. Details regarding the patched version are available in the vendor's references and in the Patchstack database. Until the update is applied, it is recommended to deactivate or remove the plugin.
iControlWP plugin versions 5.5.3 and earlier for the WordPress platform.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H