CVE-2026-8157 PUBLISHED

Vitepos < 3.4.2 - Outlet Manager+ Privilege Escalation

Assigner: WPScan
Reserved: 08.05.2026 Published: 22.06.2026 Updated: 22.06.2026

The Vitepos WordPress plugin before 3.4.2 does not properly restrict the roles that can be assigned when creating new users via one of its REST API endpoints, allowing authenticated users with a custom Vitepos WordPress plugin before 3.4.2 role to escalate privileges to administrator.

Product Status

Vendor	Unknown
Product	Vitepos
Versions	Default: unaffected affected from 0 to 3.4.2 (excl.)

Credits

Real_King_Engine (ISAL FRAMEWORK) finder
WPScan coordinator

References

https://wpscan.com/vulnerability/6680cc6a-9758-4040-bb39-7b9545041dc3/

Problem Types

CWE-269 Improper Privilege Management CWE