CVE-2026-3629
Received Received - Intake
Privilege Escalation in WordPress Import/Export Users Plugin

Publication date: 2026-03-21

Last updated on: 2026-03-21

Assigner: Wordfence

Description
The Import and export users and customers plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.29.7. This is due to the 'save_extra_user_profile_fields' function not properly restricting which user meta keys can be updated via profile fields. The 'get_restricted_fields' method does not include sensitive meta keys such as 'wp_capabilities'. This makes it possible for unauthenticated attackers to escalate their privileges to Administrator by submitting a crafted registration request that sets the 'wp_capabilities' meta key. The vulnerability can only be exploited if the "Show fields in profile" setting is enabled and a CSV with a wp_capabilities column header has been previously imported.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-21
Last Modified
2026-03-21
Generated
2026-06-16
AI Q&A
2026-03-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3629
EUVD
EUVD-2026-14256
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wp_import_export_users_and_customers plugin to 1.29.7 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

I don't know

Executive Summary

The vulnerability exists in the Import and export users and customers plugin for WordPress, affecting all versions up to and including 1.29.7. It is caused by the 'save_extra_user_profile_fields' function not properly restricting which user meta keys can be updated through profile fields.

Specifically, the 'get_restricted_fields' method does not include sensitive meta keys such as 'wp_capabilities'. This allows unauthenticated attackers to escalate their privileges to Administrator by submitting a specially crafted registration request that sets the 'wp_capabilities' meta key.

However, exploitation requires that the "Show fields in profile" setting is enabled and that a CSV file containing a wp_capabilities column header has been previously imported.

Impact Analysis

This vulnerability can have a severe impact as it allows unauthenticated attackers to escalate their privileges to Administrator level on a WordPress site using the affected plugin.

With Administrator privileges, attackers can gain full control over the website, including modifying content, installing malicious plugins or themes, accessing sensitive data, and potentially compromising the entire server environment.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3629. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart