Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-22337 -- CVSS 9.8 Vulnerability Briefing

CVE-2026-22337 | CVSS 9.8 (Critical) | Exploit: No known exploit

What Is It

CVE-2026-22337 is a critical incorrect privilege assignment vulnerability in the Directorist Social Login WordPress plugin, affecting all versions prior to 2.1.4, which allows unauthenticated or low-privileged users to escalate their privileges within the application.

Technical Detail

The flaw stems from improper privilege assignment during the social login authentication flow, where the plugin fails to correctly validate or restrict the role assigned to a user upon account creation or login via a social provider. An attacker can exploit this by initiating a social login request and manipulating the authentication process to obtain a higher-privileged role, such as administrator, without legitimate authorization. Successful exploitation results in full privilege escalation, potentially granting complete control over the affected WordPress installation.

Exploitation Status

No known exploit code has been publicly identified at this time, and this vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog. The exploit maturity is assessed as no known exploit, meaning active in-the-wild exploitation has not been confirmed as of May 4, 2026. However, the critical CVSS score of 9.8 and the straightforward nature of privilege escalation flaws in authentication flows make this a high-priority candidate for future exploitation attempts.

Who Is Targeting This

No specific threat actor attribution at this time. No campaigns or targeted sectors have been associated with this vulnerability. Opportunistic actors who routinely scan for vulnerable WordPress plugins represent the most likely threat profile given the nature of the flaw and the broad deployment of WordPress-based directory sites.

What To Do

Update the Directorist Social Login plugin to version 2.1.4 or later immediately. Given the critical severity rating and the potential for complete site compromise, patching should be treated as urgent and prioritized ahead of routine maintenance cycles. Site administrators who cannot patch immediately should consider disabling the Directorist Social Login plugin until the update can be applied. Review user accounts for any unexpected role assignments or recently created administrator accounts as a detection measure, and audit authentication logs for anomalous social login activity. No CISA binding directive applies at this time as the vulnerability is not KEV-listed.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →