Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
The Users manager - PN plugin for WordPress is vulnerable to Privilege Escalation via Arbitrary User Meta Update in all versions up to and including 1.1.15. This is due to a flawed authorization logic check in the userspn_ajax_nopriv_server() function within the 'userspn_form_save' case. The conditional only blocks unauthenticated users when the user_id is empty, but when a non-empty user_id is supplied, execution bypasses this check entirely and proceeds to update arbitrary user meta via update_user_meta() without any authentication or authorization verification. Additionally, the nonce required for this AJAX endpoint ('userspn-nonce') is exposed to all visitors via wp_localize_script on the public wp_enqueue_scripts hook, rendering the nonce check ineffective as a security control. This makes it possible for unauthenticated attackers to update arbitrary user metadata for any user account, including the userspn_secret_token field.
AnalysisAI
Arbitrary user metadata modification in Users Manager - PN plugin for WordPress (versions ≤1.1.15) allows unaneticated remote attackers to escalate privileges and hijack accounts. The vulnerability stems from flawed authorization logic in userspn_ajax_nopriv_server() that fails to verify authentication when user_id is supplied, combined with publicly exposed nonce values. Attackers can modify critical user metadata including userspn_secret_token for any WordPress user. CVSS 9.8 (Critical). EPSS data not available. No public exploit identified at time of analysis, but exploitation requires only HTTP requests with predictable parameters.
Technical ContextAI
This vulnerability affects the Users Manager - PN WordPress plugin (cpe:2.3:a:felixmartinez:users_manager_-_pn:*:*:*:*:*:*:*:*), specifically versions through 1.1.15. The root cause is CWE-862 (Missing Authorization), where the AJAX handler userspn_ajax_nopriv_server() implements a conditional check that only validates authentication when user_id is empty. When a non-empty user_id parameter is provided, the function bypasses authorization entirely and proceeds directly to update_user_meta(), WordPress's core function for modifying user metadata. Compounding this flaw, the plugin exposes the required AJAX nonce ('userspn-nonce') to all site visitors via wp_localize_script on the public wp_enqueue_scripts hook, defeating the intended CSRF protection. The vulnerability allows manipulation of arbitrary user meta keys, including security-sensitive fields like userspn_secret_token. The affected code resides in class-userspn-ajax-nopriv.php within the 'userspn_form_save' case handler, with related vulnerable patterns observable in class-userspn-common.php and class-userspn-functions-user.php.
RemediationAI
Immediately update Users Manager - PN plugin to version 1.1.16 or later, which addresses this vulnerability per the Wordfence advisory and plugin repository changeset 3491109. Site administrators should verify the update via WordPress admin dashboard (Plugins > Installed Plugins) or manually via FTP/SFTP by replacing the /wp-content/plugins/userspn/ directory with the patched version from wordpress.org. If immediate patching is not feasible, temporarily deactivate and delete the plugin until updates can be applied, as no effective workaround exists for unauthenticated exploitation. After patching, conduct a security audit to identify any suspicious user metadata modifications or unauthorized privilege escalations that may have occurred while the vulnerability was present. Review user accounts for unexpected role changes, metadata alterations, or newly created administrative accounts. The fix implements proper authentication and capability checks before allowing user metadata updates. Consult the complete vulnerability analysis at https://www.wordfence.com/threat-intel/vulnerabilities/id/27bb60c1-43fa-4a18-b9ca-059535b0d5b6 and monitor plugin repository changesets for implementation details.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same weakness CWE-862 – Missing Authorization
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20043
GHSA-f474-j5g7-2pch