CVE-2026-7641

May 2, 2026, 5:16 a.m.

8.8
High

Description

The Import and export users and customers plugin for WordPress is vulnerable to Privilege Escalation in all versions up to and including 2.0.8 via the `save_extra_user_profile_fields()` function. This is due to an incomplete blocklist that correctly restricts capability meta keys for the primary site (e.g., `wp_capabilities`, `wp_user_level`) but fails to block the equivalent meta keys for any other subsite in a WordPress Multisite network (e.g., `wp_2_capabilities`, `wp_2_user_level`), allowing these keys to pass the `in_array()` check and be written directly to user meta via `update_user_meta()`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to escalate their privileges to Administrator on any subsite within the Multisite network by submitting a crafted profile update to `/wp-admin/profile.php`. Exploitation requires that an administrator has previously imported a CSV file containing multisite-prefixed capability column headers and has enabled the 'Show fields in profile?' option, which causes those keys to be stored in the `acui_columns` option and exposed as editable fields on the user profile page.

Product(s) Impacted

Vendor Product Versions
Wordpress
  • Import And Export Users And Customers Plugin
  • *

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-269
Improper Privilege Management
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a wordpress import_and_export_users_and_customers_plugin / / / / / wordpress / /

References

https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/tags/2.0.6/classes/columns.php#L198
https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/tags/2.0.6/classes/columns.php#L221
https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/tags/2.0.6/classes/helper.php#L150
https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/tags/2.0.6/classes/multisite.php#L21
https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/tags/2.0.8/classes/columns.php#L198
https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/tags/2.0.8/classes/columns.php#L221
https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/tags/2.0.8/classes/helper.php#L150
https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/tags/2.0.8/classes/multisite.php#L21
https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/trunk/classes/columns.php#L198
https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/trunk/classes/columns.php#L221
https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/trunk/classes/helper.php#L150
https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/trunk/classes/multisite.php#L21
https://plugins.trac.wordpress.org/changeset/3515646
https://www.wordfence.com/threat-intel/vulnerabilities/id/368cff00-6a86-443e-aec4-4115a229a3c1?source=cve

Tags

[email protected]
CWE-269
2026-05-02
CVE-2026-7641

CVSS Score

8.8 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: LOW
  • Scope: UNCHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: HIGH

    • CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

    View Vector String

Timeline

Published: May 2, 2026, 5:16 a.m.
Last Modified: May 2, 2026, 5:16 a.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.