CVE-2026-7641
Deferred Deferred - Pending Action
Privilege Escalation in Import and Export Users and Customers WordPress Plugin

Publication date: 2026-05-02

Last updated on: 2026-05-05

Assigner: Wordfence

Description
The Import and export users and customers plugin for WordPress is vulnerable to Privilege Escalation in all versions up to and including 2.0.8 via the `save_extra_user_profile_fields()` function. This is due to an incomplete blocklist that correctly restricts capability meta keys for the primary site (e.g., `wp_capabilities`, `wp_user_level`) but fails to block the equivalent meta keys for any other subsite in a WordPress Multisite network (e.g., `wp_2_capabilities`, `wp_2_user_level`), allowing these keys to pass the `in_array()` check and be written directly to user meta via `update_user_meta()`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to escalate their privileges to Administrator on any subsite within the Multisite network by submitting a crafted profile update to `/wp-admin/profile.php`. Exploitation requires that an administrator has previously imported a CSV file containing multisite-prefixed capability column headers and has enabled the 'Show fields in profile?' option, which causes those keys to be stored in the `acui_columns` option and exposed as editable fields on the user profile page.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-02
Last Modified
2026-05-05
Generated
2026-06-16
AI Q&A
2026-05-02
EPSS Evaluated
2026-06-14
NVD
CVE-2026-7641
EUVD
EUVD-2026-26740
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wordfence import_and_export_users_and_customers_plugin to 2.0.8 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Import and export users and customers plugin for WordPress, affecting all versions up to and including 2.0.8. It is a Privilege Escalation issue caused by an incomplete blocklist in the function save_extra_user_profile_fields(). While the blocklist correctly restricts capability meta keys for the primary site, it fails to block equivalent meta keys for subsites in a WordPress Multisite network. This allows certain capability keys to bypass checks and be written directly to user metadata.

As a result, authenticated users with Subscriber-level access or higher can escalate their privileges to Administrator on any subsite by submitting a specially crafted profile update to /wp-admin/profile.php. Exploitation requires that an administrator has previously imported a CSV file containing multisite-prefixed capability column headers and enabled the 'Show fields in profile?' option, which exposes these keys as editable fields on user profiles.

Impact Analysis

This vulnerability can allow an attacker with relatively low privileges (Subscriber-level or above) to escalate their access to Administrator on any subsite within a WordPress Multisite network. This means the attacker could gain full control over subsites, potentially allowing them to modify content, change settings, install malicious plugins or themes, and access sensitive information.

Detection Guidance

Detection of this vulnerability involves checking if the WordPress site is running the Import and export users and customers plugin version 2.0.8 or earlier, and if it is part of a WordPress Multisite network.

Specifically, you should verify if the 'Show fields in profile?' option is enabled and if the 'acui_columns' option contains multisite-prefixed capability keys such as 'wp_2_capabilities' or 'wp_2_user_level'.

Since exploitation involves submitting crafted profile updates to /wp-admin/profile.php, monitoring HTTP requests to this endpoint for unusual profile update payloads containing multisite-prefixed capability keys can help detect attempts.

No explicit commands are provided in the available resources, but general approaches include:

  • Using WP-CLI to check plugin version: `wp plugin get import-and-export-users-and-customers`
  • Using WP-CLI or database queries to inspect the 'acui_columns' option for multisite-prefixed keys: `wp option get acui_columns`
  • Reviewing web server logs or using intrusion detection systems to flag POST requests to `/wp-admin/profile.php` containing suspicious capability meta keys.
Mitigation Strategies

Immediate mitigation steps include updating the Import and export users and customers plugin to a version later than 2.0.8 where this privilege escalation vulnerability is fixed.

If an update is not immediately possible, disable the 'Show fields in profile?' option to prevent multisite-prefixed capability keys from being exposed and editable on user profile pages.

Additionally, restrict access to the profile update page (`/wp-admin/profile.php`) to trusted users only, and monitor for suspicious profile update attempts.

Review and clean the 'acui_columns' option to remove any multisite-prefixed capability keys that could be exploited.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7641. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart