How is CVE-2026-34901 exploited?

Network reachability (required): The vulnerable plugin is exposed over the network, so an attacker must be able to send HTTP requests to the target WordPress installation. Authentication (not-required): No account or session credential of any kind is needed to trigger the privilege escalation. Victim interaction (not-required): The attack is fully server-side; no user needs to click a link or take any action for exploitation to succeed. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no race condition, memory layout manipulation, or other environmental precondition.

What is the impact of CVE-2026-34901?

A successful attacker escalates to a privileged WordPress role, gaining the ability to read all site content, user data, and stored credentials. The attacker can modify or delete posts, pages, plugin settings, and site configuration, permanently altering persisted data. The attacker can install or activate malicious plugins and themes, enabling persistent backdoor access or full server-level compromise depending on hosting configuration. The attacker can disrupt site availability by deactivating plugins, corrupting settings, or exhausting server resources.

Back to search

CRITICALCVE-2026-34901Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-34901: WordPress iControlWP plugin <= 5.5.3 - Privilege Escalation vulnerability

Q: What is CVE-2026-34901?

An unauthenticated privilege escalation vulnerability affects the WordPress iControlWP plugin at version 5.5.3 and earlier. The flaw is reachable over the network and requires no credentials, meaning any external attacker who can reach the WordPress installation can trigger it. Successful exploitation gives the attacker full control over confidentiality, integrity, and availability of the affected site. No upstream fix has been published yet; HarborGuard tracks the advisory and will make a patched-image rebuild available as soon as one is released.

Q: Is CVE-2026-34901 patched?

Because no upstream fix version has been published, HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available the moment a fix is released by the maintainer. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered automatically at that point.

Unauthenticated Privilege Escalation in iControlWP <= 5.5.3 versions.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An unauthenticated privilege escalation vulnerability affects the WordPress iControlWP plugin at version 5.5.3 and earlier. The flaw is reachable over the network and requires no credentials, meaning any external attacker who can reach the WordPress installation can trigger it. Successful exploitation gives the attacker full control over confidentiality, integrity, and availability of the affected site. No upstream fix has been published yet; HarborGuard tracks the advisory and will make a patched-image rebuild available as soon as one is released.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including the Patchstack advisory, within minutes of publication and matched against customer images in connected registries and CI/CD pipelines. This matching covers custom-built images that bundle the iControlWP plugin alongside WordPress.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 9.8 Critical and weighting it against each environment's active compliance policy to surface urgency appropriately. Findings are routable to the correct team inbox within each customer organization based on image ownership and policy configuration.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available the moment a fix is released by the maintainer. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable plugin is exposed over the network, so an attacker must be able to send HTTP requests to the target WordPress installation.
AuthenticationNot required
No account or session credential of any kind is needed to trigger the privilege escalation.
Victim interactionNot required
The attack is fully server-side; no user needs to click a link or take any action for exploitation to succeed.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no race condition, memory layout manipulation, or other environmental precondition.

Blast Radius

A successful attacker escalates to a privileged WordPress role, gaining the ability to read all site content, user data, and stored credentials.
The attacker can modify or delete posts, pages, plugin settings, and site configuration, permanently altering persisted data.
The attacker can install or activate malicious plugins and themes, enabling persistent backdoor access or full server-level compromise depending on hosting configuration.
The attacker can disrupt site availability by deactivating plugins, corrupting settings, or exhausting server resources.

How HarborGuard Handles This

Available on HarborGuard: detection for this critical-severity finding is active and matches against all images containing iControlWP 5.5.3 or earlier across connected registries and pipelines. Because no upstream fix exists at this time, HarborGuard monitors the Patchstack advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix version is published. For customers with auto-remediation enabled, that rebuild will trigger a regression test run and open a PR against affected workloads without manual intervention. While no patch is available, customers can apply compensating controls through HarborGuard's policy engine: network-policy isolation to restrict inbound HTTP access to WordPress installations from untrusted sources, egress filtering to limit lateral movement if a host is compromised, and flagging of images containing this plugin as non-compliant to gate deployment in regulated environments.

See how HarborGuard automates this

Affected packages

Paul / iControlWP
≤ 5.5.3

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified