High

Privilege Escalation in WordPress Expire Users plugin

IdentifiersCVE-2026-4261CWE-862· Missing Authorization

CVE-2026-4261 is a privilege escalation vulnerability in the Expire Users plugin for WordPress affecting all versions up to and including 1.2.2. The flaw is caused by insufficient authorization in the plugin's save_extra_user_profile_fields function, which allows a user to update the on_expire_default_to_role meta value. Because this role-related metadata can be modified by a low-privileged authenticated user, an attacker can abuse the plugin's expiration-role handling to assign a more privileged role. As described in the provided content, authenticated attackers with Subscriber-level access or higher can leverage this weakness to escalate their privileges to administrator.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an authenticated low-privileged user to obtain administrator-level access in the affected WordPress site. This can lead to full compromise of the WordPress application, including access to sensitive data, modification of site content and configuration, installation or modification of plugins and themes, creation of additional privileged accounts, and potential further code execution depending on site configuration and available administrative capabilities.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, disable the Expire Users plugin or restrict access to affected WordPress instances to trusted users only. Reduce exposure by limiting or removing low-privileged accounts such as Subscribers where feasible, and monitor for changes to user roles, profile metadata, and creation of new administrator accounts. Additional compensating controls include enforcing strong authentication, reviewing plugin code customizations, and using WordPress security monitoring to detect suspicious profile updates or privilege changes.

Remediation

Patch, then assume compromise.

Update the Expire Users plugin to a version newer than 1.2.2 once a vendor fix is available. If no patched version is available, remove or disable the plugin to eliminate exposure. Review the plugin's handling of save_extra_user_profile_fields and ensure only appropriately authorized administrators can modify the on_expire_default_to_role meta or any role-affecting user metadata. After remediation, audit user accounts and role assignments for unauthorized administrator creation or privilege changes.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

10 SOURCESView more in app

cvefeed high severityNews

Mar 21, 2026

CVE-2026-4261 - Expire Users <= 1.2.2 - Authenticated (Subscriber+) Privilege Escalation to Administrator via save_extra_user_profile_fields

A privilege escalation vulnerability in the Expire Users plugin for WordPress affecting all versions up to and including 1.2.2, allowing authenticated attackers with Subscriber-level access or higher to gain administrator privileges.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity9

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-4261

NVD

nvd.nist.gov/vuln/detail/CVE-2026-4261

MITRE CWE · CWE-862

Missing Authorization

plugins.trac.wordpress.org

plugins.trac.wordpress.org/browser/expire-users/tags/1.2.2/admin/expire-user.php

wordfence.com

wordfence.com/threat-intel/vulnerabilities/id/d676700b-8c53-4e09-a654-767810b5a775?source=cve