WordPress Plugin Vulnerabilities

Import and export users and customers < 2.0 - Privilege Escalation to Administrator via save_extra_user_profile_fields

Description

The Import and export users and customers plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.29.7. This is due to the 'save_extra_user_profile_fields' function not properly restricting which user meta keys can be updated via profile fields. The 'get_restricted_fields' method does not include sensitive meta keys such as 'wp_capabilities'. This makes it possible for unauthenticated attackers to escalate their privileges to Administrator by submitting a crafted registration request that sets the 'wp_capabilities' meta key. The vulnerability can only be exploited if the "Show fields in profile" setting is enabled and a CSV with a wp_capabilities column header has been previously imported.

Affects Plugins

Plugin icon
import-users-from-csv-with-meta
Fixed in 2.0

References

CVE
CVE-2026-3629
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/48dd9098-38e6-49da-8d22-27e12fddef51

Classification

Type
PRIVESC
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-269
CVSS
6.6 (Medium)

Miscellaneous

Original Researcher
kai63001
Verified
No
WPVDB ID
23889882-71d3-4d84-a8f7-fefa0a01dd33

Timeline

Publicly Published
2026-03-21 (about 1 month ago)
Added
2026-03-21 (about 1 month ago)
Last Updated
2026-03-21 (about 1 month ago)

Other

Published
Title
Published
2025-12-11
Title
Comments – wpDiscuz < 7.6.40 - Unauthenticated Account Takeover
Published
2025-07-11
Title
Nokri < 1.6.4 - Subscriber+ Privilege Escalation
Published
2024-09-17
Title
Houzez < 3.3.0 - Subscriber+ Privilege Escalation
Published
2025-12-02
Title
DesignThemes LMS < 1.0.5 - Unauthenticated Privilege Escalation
Published
2025-03-04
Title
Homey < 2.4.3 - Unauthenticated Privilege Escalation in homey_save_profile