CVE-2026-3629
Received Received - Intake
Privilege Escalation in WordPress Import/Export Users Plugin

Publication date: 2026-03-21

Last updated on: 2026-03-21

Assigner: Wordfence

Description
The Import and export users and customers plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.29.7. This is due to the 'save_extra_user_profile_fields' function not properly restricting which user meta keys can be updated via profile fields. The 'get_restricted_fields' method does not include sensitive meta keys such as 'wp_capabilities'. This makes it possible for unauthenticated attackers to escalate their privileges to Administrator by submitting a crafted registration request that sets the 'wp_capabilities' meta key. The vulnerability can only be exploited if the "Show fields in profile" setting is enabled and a CSV with a wp_capabilities column header has been previously imported.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-21
Last Modified
2026-03-21
Generated
2026-05-07
AI Q&A
2026-03-22
EPSS Evaluated
2026-05-05
NVD
CVE-2026-3629
EUVD
EUVD-2026-14256
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wp_import_export_users_and_customers plugin to 1.29.7 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

I don't know


Can you explain this vulnerability to me?

The vulnerability exists in the Import and export users and customers plugin for WordPress, affecting all versions up to and including 1.29.7. It is caused by the 'save_extra_user_profile_fields' function not properly restricting which user meta keys can be updated through profile fields.

Specifically, the 'get_restricted_fields' method does not include sensitive meta keys such as 'wp_capabilities'. This allows unauthenticated attackers to escalate their privileges to Administrator by submitting a specially crafted registration request that sets the 'wp_capabilities' meta key.

However, exploitation requires that the "Show fields in profile" setting is enabled and that a CSV file containing a wp_capabilities column header has been previously imported.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability impact me? :

This vulnerability can have a severe impact as it allows unauthenticated attackers to escalate their privileges to Administrator level on a WordPress site using the affected plugin.

With Administrator privileges, attackers can gain full control over the website, including modifying content, installing malicious plugins or themes, accessing sensitive data, and potentially compromising the entire server environment.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart