CVE-2026-4003
Received Received - Intake
Privilege Escalation in WordPress Users Manager – PN Plugin

Publication date: 2026-04-08

Last updated on: 2026-04-08

Assigner: Wordfence

Description
The Users manager – PN plugin for WordPress is vulnerable to Privilege Escalation via Arbitrary User Meta Update in all versions up to and including 1.1.15. This is due to a flawed authorization logic check in the userspn_ajax_nopriv_server() function within the 'userspn_form_save' case. The conditional only blocks unauthenticated users when the user_id is empty, but when a non-empty user_id is supplied, execution bypasses this check entirely and proceeds to update arbitrary user meta via update_user_meta() without any authentication or authorization verification. Additionally, the nonce required for this AJAX endpoint ('userspn-nonce') is exposed to all visitors via wp_localize_script on the public wp_enqueue_scripts hook, rendering the nonce check ineffective as a security control. This makes it possible for unauthenticated attackers to update arbitrary user metadata for any user account, including the userspn_secret_token field.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-08
Last Modified
2026-04-08
Generated
2026-06-16
AI Q&A
2026-04-08
EPSS Evaluated
2026-06-15
NVD
CVE-2026-4003
EUVD
EUVD-2026-20043
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wordfence users_manager_pn to 1.1.15 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Users manager – PN plugin for WordPress has a vulnerability that allows privilege escalation through arbitrary user meta updates. This happens because the authorization logic in the userspn_ajax_nopriv_server() function is flawed. Specifically, the function only blocks unauthenticated users when the user_id is empty. However, if a non-empty user_id is provided, the check is bypassed, allowing the attacker to update any user's metadata without authentication or authorization.

Additionally, the security nonce ('userspn-nonce') intended to protect this AJAX endpoint is exposed publicly to all visitors, making the nonce check ineffective. This combination allows unauthenticated attackers to modify arbitrary user metadata, including sensitive fields like userspn_secret_token.

Impact Analysis

This vulnerability can have severe impacts as it allows unauthenticated attackers to escalate privileges by modifying user metadata arbitrarily. Attackers could potentially change sensitive information or tokens associated with user accounts, leading to unauthorized access, data manipulation, or further compromise of the WordPress site.

Given the CVSS score of 9.8, the impact includes high confidentiality, integrity, and availability risks, meaning attackers can fully compromise user data and site functionality.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4003. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart