WordPress Plugin Flaws Enable Privilege Escalation to Administrator
Two newly disclosed vulnerabilities in WordPress plugins can let attackers elevate privileges to Administrator by abusing improper handling of user profile metadata. CVE-2026-4261 affects Expire Users through version 1.2.2, where the save_extra_user_profile_fields function allows modification of the on_expire_default_to_role meta value; an authenticated attacker with Subscriber-level access or higher can exploit the flaw to gain full administrative control. The issue was classified as CWE-862 and carries a high-severity CVSS v3.1 score with the vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.
A second flaw, CVE-2026-3629, impacts Import and export users and customers through version 1.29.7 and can, under specific conditions, allow even unauthenticated attackers to become administrators. The plugin's save_extra_user_profile_fields logic fails to block sensitive keys such as wp_capabilities because get_restricted_fields does not restrict them, enabling a crafted registration request to assign elevated privileges when "Show fields in profile" is enabled and a previously imported CSV included a wp_capabilities column header. That vulnerability was classified as CWE-269 with a CVSS v3.1 vector of AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
CVE-2026-3629 disclosed for Import and export users and customers
A privilege-escalation vulnerability affecting Import and export users and customers versions up to 1.29.7 was disclosed. Under specific conditions, an unauthenticated attacker can submit a crafted registration request to set wp_capabilities and obtain administrator privileges.
CVE-2026-4261 disclosed for Expire Users plugin
A privilege-escalation vulnerability affecting Expire Users versions up to 1.2.2 was disclosed. The flaw allows an authenticated Subscriber-level user or higher to modify the on_expire_default_to_role meta via save_extra_user_profile_fields and gain administrator privileges.
Wordfence receives reports for CVE-2026-4261 and CVE-2026-3629
Wordfence received vulnerability reports on March 21, 2026 for two WordPress plugin privilege-escalation flaws: CVE-2026-4261 in Expire Users and CVE-2026-3629 in Import and export users and customers.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
CVE-2026-4261 - Expire Users <= 1.2.2 - Authenticated (Subscriber+) Privilege Escalation to Administrator via save_extra_user_profile_fields
cvefeed.io
Open sourceCVE-2026-3629 - Import and export users and customers <= 1.29.7 - Privilege Escalation to Administrator via save_extra_user_profile_fields
cvefeed.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
WordPress Plugin Flaws Enable Account Takeover and Possible RCE
Multiple high-severity flaws in WordPress plugins exposed sites to account takeover and, in one case, possible remote code execution. In **Users Manager PN**, tracked as `CVE-2026-4003`, a missing authorization check in the `userspn_ajax_nopriv_server()` handler let unauthenticated attackers overwrite arbitrary user metadata through the `userspn_form_save` AJAX action. Because the required `userspn-nonce` was reportedly exposed on public pages, attackers could abuse the bug with a single crafted request to modify profiles and potentially seize control of administrator accounts. The issue affected versions through `1.1.15` and was reportedly fixed in `1.1.20`. Two additional vulnerabilities were disclosed in **WP Captcha PRO** affecting versions through `5.38`. `CVE-2026-5415` allowed **Subscriber-level users or higher** to generate temporary login links for arbitrary accounts because the `ajax_run_tool()` AJAX handler checked only a nonce and not user capabilities, enabling authentication bypass and administrator takeover. Separately, `CVE-2026-5411` allowed authenticated low-privilege users to upload attacker-controlled files by poisoning license metadata and abusing `sync_cloud_protection()` to download and extract content into a web-accessible uploads directory; if PHP execution was possible and `allow_url_fopen` was enabled for remote retrieval, the flaw could be escalated to **remote code execution** via a webshell.
Jun 12, 2026
Unauthenticated Privilege Escalation in WordPress *Advanced Custom Fields: Extended* (CVE-2025-14533)
A critical vulnerability, **CVE-2025-14533**, was disclosed in the WordPress plugin *Advanced Custom Fields: Extended* affecting versions **<= 0.9.2.1**. The issue is an **unauthenticated privilege escalation** in the plugin’s user-form handling, where the `insert_user` logic does not properly restrict which roles can be assigned during registration; as a result, an attacker can submit a registration request specifying the **`administrator`** role and obtain full administrative access under certain configurations. Reporting indicates exploitation depends on site configuration: the flaw is reachable when a form is set up such that the **`role`** value is mapped to a custom field / user role field is present in the form. The weakness was identified by **Andrea Bocchetti** via the **Wordfence Bug Bounty Program**, and is associated with **CWE-269 (Improper Privilege Management)**; once admin access is obtained, attackers can fully compromise the site (e.g., upload malicious plugins/themes, plant backdoors, or alter content for redirects).
Mar 21, 2026
WordPress Membership Plugin Flaws Enable Administrator Account Takeover
Multiple high-severity flaws in popular WordPress membership plugins can let attackers create administrator accounts and fully compromise affected sites. In the **User Registration & Membership** plugin, `CVE-2026-1492` affects versions through `5.1.2` and allows **unauthenticated** attackers to bypass authentication by abusing exposed nonce values, weak server-side validation, and legitimate AJAX functionality in membership workflows, including requests to `admin-ajax.php`. Researchers said successful exploitation can lead to malicious plugin installation, persistence, data theft, site defacement, and potential remote code execution; the issue is fixed in version `5.1.3`, and public exploit code is available. A separate cluster of vulnerabilities affects **WishList Member** through version `3.30.1`, where several missing authorization checks let **Subscriber-level or higher** users escalate privileges. `CVE-2026-6895` and `CVE-2026-6419` can expose the plugin's REST API Secret Key through AJAX actions, while `CVE-2026-6898` and `CVE-2026-6897` allow authenticated users to generate or modify that key and other plugin settings. With the API key, an attacker can create a membership level mapped to the WordPress administrator role, register a new admin account, and take over the site, extending a pattern of recurring authentication-bypass and privilege-escalation weaknesses previously seen in related membership plugin codebases.
May 25, 2026