Review
Redux Framework
CVE published 2026-07-16
CVE-2026-12525
The Redux Framework WordPress plugin before 4.5.13 does not restrict which user meta keys can be written when saving custom profile fields. This allows users with at least the Subscriber role to escalate their privileges to Administrator by submitting a crafted value while updating their own profile. This issue affects sites where the Redux Framework WordPress plugin's user-profile feature is enabled. Sit [truncated]