CVE-2026-27542

CRITICAL EXPLOITED

WordPress Woocommerce Wholesale Lead Capture plugin <= 2.0.3.1 - Privilege Escalation vulnerability

Title source: cna
STIX 2.1

Exploitation Summary

CVE-2026-27542 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including Nxploited.

AI-analyzed exploit summary This repository contains a functional exploit PoC for CVE-2026-27542 and CVE-2026-27540, targeting WordPress vulnerabilities. The script includes methods for unauthenticated privilege escalation and arbitrary file upload, with detailed session handling and administrative access checks.

Description

Incorrect Privilege Assignment vulnerability in Rymera Web Co Pty Ltd. Woocommerce Wholesale Lead Capture woocommerce-wholesale-lead-capture allows Privilege Escalation.This issue affects Woocommerce Wholesale Lead Capture: from n/a through <= 2.0.3.1.

Exploits (1)

nomisec WORKING POC
by Nxploited · remote
https://github.com/Nxploited/CVE-2026-27542-CVE-2026-27540-

This repository contains a functional exploit PoC for CVE-2026-27542 and CVE-2026-27540, targeting WordPress vulnerabilities. The script includes methods for unauthenticated privilege escalation and arbitrary file upload, with detailed session handling and administrative access checks.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: WordPress
No auth needed
Prerequisites: WordPress installation · network access to target
devstral-2 · analyzed Apr 18, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 9.8
EPSS 0.0002
EPSS Percentile 5.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

VulnCheck KEV 2026-02-20
CWE
CWE-266
Status published
Products (1)
Rymera Web Co Pty Ltd./Woocommerce Wholesale Lead Capture < 2.0.3.1
Published Mar 19, 2026
Tracked Since Mar 19, 2026