The Import and export users and customers plugin for WordPress is vulnerable to privilege escalation due to an incomplete blocklist in the `save_extra_user_profile_fields()` function. This vulnerability allows authenticated attackers, with Subscriber-level access and above, to escalate their privileges to Administrator on any subsite within a WordPress Multisite network. The flaw exists in all versions up to and including 2.0.8.
This vulnerability allows attackers to submit a crafted profile update to `/wp-admin/profile.php`, exploiting the failure to block multisite-prefixed capability keys such as `wp_2_capabilities` or `wp_2_user_level`. As a result, these keys can be written directly to user meta via the `update_user_meta()` function.
Exploitation requires that an administrator has previously imported a CSV file containing multisite-prefixed capability column headers and has enabled the 'Show fields in profile?' option. This results in those keys being stored in the `acui_columns` option and exposed as editable fields on the user profile page.
With a CVSS score of 8.8, this vulnerability is classified as high severity. Organizations using this plugin should prioritize patching immediately to prevent potential privilege escalation.
As this vulnerability could allow attackers to take control of user accounts, the risk to organizations includes unauthorized access to sensitive information and administrative capabilities across multiple sites.
Currently, no public exploit has been confirmed, but organizations should remain vigilant and apply the necessary updates as soon as possible.
The urgency for defenders is high, and proactive measures should be taken to mitigate this vulnerability.
Vulnerability Details
The vulnerability allows attackers to escalate privileges due to an incomplete blocklist that restricts capability meta keys only for the primary site. The CVE was published on May 2, 2026, and it is classified under CWE-269.
Technical Analysis
The root cause of this vulnerability lies in the implementation of the `save_extra_user_profile_fields()` function where the blocklist fails to restrict capability meta keys for subsites in a WordPress Multisite network. Attackers with low privileges can leverage this flaw to gain higher privileges.
The attack vector is through the network, requiring no user interaction. The complexity of the attack is low, with the necessary privileges for exploitation being low as well. The impacts on confidentiality, integrity, and availability are all rated high, indicating significant potential damage.
Risk & Impact Analysis
The real-world risk associated with this vulnerability is substantial, given the potential for unauthorized access to administrative functions across multiple sites in a WordPress Multisite environment. Organizations should assess their usage of the affected plugin and prioritize remediation.
The urgency assessment is high due to the straightforward nature of the exploit and the severe consequences that could arise from successful exploitation. Organizations must act swiftly to patch this vulnerability.
Exploitation Status
Signal | Status |
|---|---|
Known Exploit | No |
Public PoC | No |
Actively Exploited | No |
Ransomware Use | No |
Affected Versions
All versions prior to vendor patch, specifically versions up to and including 2.0.8 of the Import and Export Users and Customers plugin for WordPress are affected.
Mitigation & Remediation
Organizations should upgrade to version 2.0.9 or later of the plugin to mitigate this vulnerability. In the absence of an immediate patch, administrators can disable the plugin to protect their sites until a fix is applied.
Additionally, implementing configuration hardening and access controls can help limit the risk of exploitation. Regular monitoring for unusual profile update activities is also recommended.
Continuous security testing can assist in identifying potential vulnerabilities in the future.
Detection Guidance
Monitoring logs for changes to user profiles, especially those by low-privileged accounts, can be an indicator of attempted exploitation. Look for behavioral anomalies such as unauthorized privilege escalations or modifications to user capabilities.
AppSecure Threat Intelligence Insight
The long-term significance of this vulnerability lies in its potential to undermine the integrity of user management in WordPress Multisite environments. Security teams should be aware of the patterns that can lead to similar vulnerabilities and ensure robust testing practices.
Lessons learned from this incident emphasize the importance of thorough code audits and implementing comprehensive access controls to prevent privilege escalation.
Security teams should consider adopting a penetration testing methodology to proactively identify and mitigate similar risks in their applications.
Furthermore, organizations should remain engaged with threat intelligence platforms to stay updated on emerging threats and vulnerabilities.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
.webp)