CVE-2026-4003
Privilege Escalation in WordPress Users Manager β PN Plugin
Publication date: 2026-04-08
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordfence | users_manager_pn | to 1.1.15 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Users manager β PN plugin for WordPress has a vulnerability that allows privilege escalation through arbitrary user meta updates. This happens because the authorization logic in the userspn_ajax_nopriv_server() function is flawed. Specifically, the function only blocks unauthenticated users when the user_id is empty. However, if a non-empty user_id is provided, the check is bypassed, allowing the attacker to update any user's metadata without authentication or authorization.
Additionally, the security nonce ('userspn-nonce') intended to protect this AJAX endpoint is exposed publicly to all visitors, making the nonce check ineffective. This combination allows unauthenticated attackers to modify arbitrary user metadata, including sensitive fields like userspn_secret_token.
How can this vulnerability impact me? :
This vulnerability can have severe impacts as it allows unauthenticated attackers to escalate privileges by modifying user metadata arbitrarily. Attackers could potentially change sensitive information or tokens associated with user accounts, leading to unauthorized access, data manipulation, or further compromise of the WordPress site.
Given the CVSS score of 9.8, the impact includes high confidentiality, integrity, and availability risks, meaning attackers can fully compromise user data and site functionality.