WordPress Plugin Flaws Enable Privilege Escalation to Administrator
Two newly disclosed vulnerabilities in WordPress plugins can let attackers elevate privileges to Administrator by abusing improper handling of user profile metadata. CVE-2026-4261 affects Expire Users through version 1.2.2, where the save_extra_user_profile_fields function allows modification of the on_expire_default_to_role meta value; an authenticated attacker with Subscriber-level access or higher can exploit the flaw to gain full administrative control. The issue was classified as CWE-862 and carries a high-severity CVSS v3.1 score with the vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.
A second flaw, CVE-2026-3629, impacts Import and export users and customers through version 1.29.7 and can, under specific conditions, allow even unauthenticated attackers to become administrators. The plugin's save_extra_user_profile_fields logic fails to block sensitive keys such as wp_capabilities because get_restricted_fields does not restrict them, enabling a crafted registration request to assign elevated privileges when "Show fields in profile" is enabled and a previously imported CSV included a wp_capabilities column header. That vulnerability was classified as CWE-269 with a CVSS v3.1 vector of AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H.
Timeline
Mar 21, 2026
CVE-2026-3629 disclosed for Import and export users and customers
A privilege-escalation vulnerability affecting Import and export users and customers versions up to 1.29.7 was disclosed. Under specific conditions, an unauthenticated attacker can submit a crafted registration request to set wp_capabilities and obtain administrator privileges.
Mar 21, 2026
CVE-2026-4261 disclosed for Expire Users plugin
A privilege-escalation vulnerability affecting Expire Users versions up to 1.2.2 was disclosed. The flaw allows an authenticated Subscriber-level user or higher to modify the on_expire_default_to_role meta via save_extra_user_profile_fields and gain administrator privileges.
Mar 21, 2026
Wordfence receives reports for CVE-2026-4261 and CVE-2026-3629
Wordfence received vulnerability reports on March 21, 2026 for two WordPress plugin privilege-escalation flaws: CVE-2026-4261 in Expire Users and CVE-2026-3629 in Import and export users and customers.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Affected Products
Sources
Related Stories
Unauthenticated Privilege Escalation in WordPress *Advanced Custom Fields: Extended* (CVE-2025-14533)
A critical vulnerability, **CVE-2025-14533**, was disclosed in the WordPress plugin *Advanced Custom Fields: Extended* affecting versions **<= 0.9.2.1**. The issue is an **unauthenticated privilege escalation** in the plugin’s user-form handling, where the `insert_user` logic does not properly restrict which roles can be assigned during registration; as a result, an attacker can submit a registration request specifying the **`administrator`** role and obtain full administrative access under certain configurations. Reporting indicates exploitation depends on site configuration: the flaw is reachable when a form is set up such that the **`role`** value is mapped to a custom field / user role field is present in the form. The weakness was identified by **Andrea Bocchetti** via the **Wordfence Bug Bounty Program**, and is associated with **CWE-269 (Improper Privilege Management)**; once admin access is obtained, attackers can fully compromise the site (e.g., upload malicious plugins/themes, plant backdoors, or alter content for redirects).
1 months ago
Critical WordPress Plugin Flaws Expose Sites to RCE and Privilege Escalation
Two high-severity vulnerabilities have been disclosed in widely deployed WordPress plugins, exposing internet-facing sites to **unauthenticated compromise**. `CVE-2026-3584` affects **Kali Forms** through version `2.4.9` and allows **remote code execution** because user-controlled input can be mapped into internal placeholder storage and later invoked via `call_user_func` in the `form_process` path. The issue is classified as `CWE-94` and carries a `CVSS 3.1` score with the vector `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`, indicating critical impact on confidentiality, integrity, and availability. A second flaw, `CVE-2026-4038`, affects **Aimogen Pro** through version `2.7.5` and enables **unauthenticated privilege escalation** through an arbitrary function call in `aiomatic_call_ai_function_realtime` caused by a missing capability check. According to the disclosure, attackers can invoke WordPress functions such as `update_option` to change the default registration role to administrator and enable user registration, effectively creating a path to full site takeover. The vulnerability is tracked as `CWE-862` and was likewise rated with a high-impact `CVSS 3.1` vector of `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`.
1 months ago
Critical WordPress Plugin Vulnerabilities Enable Account Takeover and Privilege Escalation
Multiple high-severity vulnerabilities were disclosed across popular **WordPress plugins**, creating pathways to account takeover, privilege escalation, and sensitive data exposure. The most severe issue, **CVE-2025-15521** in *Academy LMS* (<= `3.5.0`), allows **unauthenticated administrator account takeover** because the plugin’s password update flow relies on a **publicly exposed WordPress nonce** as authorization rather than validating user identity; *Wordfence* reported observing exploitation attempts in the wild and blocking dozens of attacks in a 24-hour period. Additional disclosures affect other plugins with different exploitation prerequisites and impacts. **CVE-2026-0726** in *Nexter Extension – Site Enhancements Toolkit* (<= `4.4.6`) is an **unauthenticated PHP object injection** via `nxt_unserialize_replace`, but it requires a usable **POP chain** from another installed plugin/theme to reach file deletion, data theft, or code execution. **CVE-2025-15347** in *Creator LMS* (<= `1.1.12`) enables **authenticated (Contributor+)** attackers to update arbitrary WordPress options due to a missing capability check, potentially leading to privilege escalation or site compromise. **CVE-2025-14977** in *Dokan* (<= `4.2.4`) is an **IDOR** in the `/wp-json/dokan/v1/settings` REST endpoint that lets **authenticated (Customer+)** users read/modify other vendors’ settings, including changing PayPal payout emails and accessing bank/payment details, enabling fraud and sensitive information disclosure.
1 months ago