WordPress Plugin Flaws Enable Account Takeover and Possible RCE
Multiple high-severity flaws in WordPress plugins exposed sites to account takeover and, in one case, possible remote code execution. In Users Manager PN, tracked as CVE-2026-4003, a missing authorization check in the userspn_ajax_nopriv_server() handler let unauthenticated attackers overwrite arbitrary user metadata through the userspn_form_save AJAX action. Because the required userspn-nonce was reportedly exposed on public pages, attackers could abuse the bug with a single crafted request to modify profiles and potentially seize control of administrator accounts. The issue affected versions through 1.1.15 and was reportedly fixed in 1.1.20.
Two additional vulnerabilities were disclosed in WP Captcha PRO affecting versions through 5.38. CVE-2026-5415 allowed Subscriber-level users or higher to generate temporary login links for arbitrary accounts because the ajax_run_tool() AJAX handler checked only a nonce and not user capabilities, enabling authentication bypass and administrator takeover. Separately, CVE-2026-5411 allowed authenticated low-privilege users to upload attacker-controlled files by poisoning license metadata and abusing sync_cloud_protection() to download and extract content into a web-accessible uploads directory; if PHP execution was possible and allow_url_fopen was enabled for remote retrieval, the flaw could be escalated to remote code execution via a webshell.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
CVE-2026-5411 disclosed in WP Captcha PRO
A high-severity arbitrary file upload vulnerability was disclosed in WP Captcha PRO affecting versions up to and including 5.38. The flaw can let authenticated Subscriber-level users upload attacker-controlled files, potentially leading to remote code execution via webshell deployment.
CVE-2026-5415 disclosed in WP Captcha PRO
A high-severity authentication bypass vulnerability was disclosed in WP Captcha PRO affecting versions up to and including 5.38. The flaw allows authenticated Subscriber-level users or higher to generate temporary login links for arbitrary users and log in as them, including administrators.
CVE-2026-4003 disclosed in Users Manager PN plugin
A critical unauthenticated privilege-escalation vulnerability was disclosed in the WordPress Users Manager PN plugin. The flaw allows arbitrary user metadata updates and potential takeover of any account, including administrators, using a publicly exposed nonce.
Users Manager PN vulnerability fixed in version 1.1.20
The vendor reportedly fixed a critical missing-authorization flaw in the WordPress Users Manager PN plugin in version 1.1.20. The issue affected all versions up to and including 1.1.15 and could allow unauthenticated account takeover.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
CVE-2026-5415 - WP Captcha PRO <= 5.38 - Authenticated (Subscriber+) Authentication Bypass via Temporary Login Link
cvefeed.io
Open sourceCVE-2026-5411 - WP Captcha PRO <= 5.38 - Missing Authorization to Authenticated (Subscriber+) Arbitrary File Upload
cvefeed.io
Open sourceQuick Look: CVE-2026-4003 - Unauthenticated Privilege Escalation in WordPress Users Manager PN Plugin - ZeroPath Blog | ZeroPath
zeropath.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
WordPress Membership Plugin Flaws Enable Administrator Account Takeover
Multiple high-severity flaws in popular WordPress membership plugins can let attackers create administrator accounts and fully compromise affected sites. In the **User Registration & Membership** plugin, `CVE-2026-1492` affects versions through `5.1.2` and allows **unauthenticated** attackers to bypass authentication by abusing exposed nonce values, weak server-side validation, and legitimate AJAX functionality in membership workflows, including requests to `admin-ajax.php`. Researchers said successful exploitation can lead to malicious plugin installation, persistence, data theft, site defacement, and potential remote code execution; the issue is fixed in version `5.1.3`, and public exploit code is available. A separate cluster of vulnerabilities affects **WishList Member** through version `3.30.1`, where several missing authorization checks let **Subscriber-level or higher** users escalate privileges. `CVE-2026-6895` and `CVE-2026-6419` can expose the plugin's REST API Secret Key through AJAX actions, while `CVE-2026-6898` and `CVE-2026-6897` allow authenticated users to generate or modify that key and other plugin settings. With the API key, an attacker can create a membership level mapped to the WordPress administrator role, register a new admin account, and take over the site, extending a pattern of recurring authentication-bypass and privilege-escalation weaknesses previously seen in related membership plugin codebases.
May 25, 2026
Critical WordPress Plugin Vulnerabilities Enable Account Takeover and Privilege Escalation
Multiple high-severity vulnerabilities were disclosed across popular **WordPress plugins**, creating pathways to account takeover, privilege escalation, and sensitive data exposure. The most severe issue, **CVE-2025-15521** in *Academy LMS* (<= `3.5.0`), allows **unauthenticated administrator account takeover** because the plugin’s password update flow relies on a **publicly exposed WordPress nonce** as authorization rather than validating user identity; *Wordfence* reported observing exploitation attempts in the wild and blocking dozens of attacks in a 24-hour period. Additional disclosures affect other plugins with different exploitation prerequisites and impacts. **CVE-2026-0726** in *Nexter Extension – Site Enhancements Toolkit* (<= `4.4.6`) is an **unauthenticated PHP object injection** via `nxt_unserialize_replace`, but it requires a usable **POP chain** from another installed plugin/theme to reach file deletion, data theft, or code execution. **CVE-2025-15347** in *Creator LMS* (<= `1.1.12`) enables **authenticated (Contributor+)** attackers to update arbitrary WordPress options due to a missing capability check, potentially leading to privilege escalation or site compromise. **CVE-2025-14977** in *Dokan* (<= `4.2.4`) is an **IDOR** in the `/wp-json/dokan/v1/settings` REST endpoint that lets **authenticated (Customer+)** users read/modify other vendors’ settings, including changing PayPal payout emails and accessing bank/payment details, enabling fraud and sensitive information disclosure.
Mar 21, 2026
WordPress Plugin Flaws Enable Privilege Escalation to Administrator
Two newly disclosed vulnerabilities in WordPress plugins can let attackers elevate privileges to **Administrator** by abusing improper handling of user profile metadata. `CVE-2026-4261` affects **Expire Users** through version `1.2.2`, where the `save_extra_user_profile_fields` function allows modification of the `on_expire_default_to_role` meta value; an authenticated attacker with **Subscriber-level access or higher** can exploit the flaw to gain full administrative control. The issue was classified as `CWE-862` and carries a high-severity `CVSS v3.1` score with the vector `AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`. A second flaw, `CVE-2026-3629`, impacts **Import and export users and customers** through version `1.29.7` and can, under specific conditions, allow even **unauthenticated** attackers to become administrators. The plugin's `save_extra_user_profile_fields` logic fails to block sensitive keys such as `wp_capabilities` because `get_restricted_fields` does not restrict them, enabling a crafted registration request to assign elevated privileges when **"Show fields in profile"** is enabled and a previously imported CSV included a `wp_capabilities` column header. That vulnerability was classified as `CWE-269` with a `CVSS v3.1` vector of `AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H`.
Mar 23, 2026