CVE-2026-7641
Privilege Escalation in Import and Export Users and Customers WordPress Plugin
Publication date: 2026-05-02
Last updated on: 2026-05-05
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordfence | import_and_export_users_and_customers_plugin | to 2.0.8 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Import and export users and customers plugin for WordPress, affecting all versions up to and including 2.0.8. It is a Privilege Escalation issue caused by an incomplete blocklist in the function save_extra_user_profile_fields(). While the blocklist correctly restricts capability meta keys for the primary site, it fails to block equivalent meta keys for subsites in a WordPress Multisite network. This allows certain capability keys to bypass checks and be written directly to user metadata.
As a result, authenticated users with Subscriber-level access or higher can escalate their privileges to Administrator on any subsite by submitting a specially crafted profile update to /wp-admin/profile.php. Exploitation requires that an administrator has previously imported a CSV file containing multisite-prefixed capability column headers and enabled the 'Show fields in profile?' option, which exposes these keys as editable fields on user profiles.
How can this vulnerability impact me? :
This vulnerability can allow an attacker with relatively low privileges (Subscriber-level or above) to escalate their access to Administrator on any subsite within a WordPress Multisite network. This means the attacker could gain full control over subsites, potentially allowing them to modify content, change settings, install malicious plugins or themes, and access sensitive information.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking if the WordPress site is running the Import and export users and customers plugin version 2.0.8 or earlier, and if it is part of a WordPress Multisite network.
Specifically, you should verify if the 'Show fields in profile?' option is enabled and if the 'acui_columns' option contains multisite-prefixed capability keys such as 'wp_2_capabilities' or 'wp_2_user_level'.
Since exploitation involves submitting crafted profile updates to /wp-admin/profile.php, monitoring HTTP requests to this endpoint for unusual profile update payloads containing multisite-prefixed capability keys can help detect attempts.
No explicit commands are provided in the available resources, but general approaches include:
- Using WP-CLI to check plugin version: `wp plugin get import-and-export-users-and-customers`
- Using WP-CLI or database queries to inspect the 'acui_columns' option for multisite-prefixed keys: `wp option get acui_columns`
- Reviewing web server logs or using intrusion detection systems to flag POST requests to `/wp-admin/profile.php` containing suspicious capability meta keys.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the Import and export users and customers plugin to a version later than 2.0.8 where this privilege escalation vulnerability is fixed.
If an update is not immediately possible, disable the 'Show fields in profile?' option to prevent multisite-prefixed capability keys from being exposed and editable on user profile pages.
Additionally, restrict access to the profile update page (`/wp-admin/profile.php`) to trusted users only, and monitor for suspicious profile update attempts.
Review and clean the 'acui_columns' option to remove any multisite-prefixed capability keys that could be exploited.