Skip to main content

WordPress EUVDEUVD-2026-20043

| CVE-2026-4003 CRITICAL
Missing Authorization (CWE-862)
2026-04-08 Wordfence GHSA-f474-j5g7-2pch
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 27, 2026 - 19:07 vuln.today
cvss_changed
EUVD ID Assigned
Apr 08, 2026 - 04:30 euvd
EUVD-2026-20043
Analysis Generated
Apr 08, 2026 - 04:30 vuln.today
CVE Published
Apr 08, 2026 - 03:36 nvd
CRITICAL 9.8

DescriptionCVE.org

The Users manager - PN plugin for WordPress is vulnerable to Privilege Escalation via Arbitrary User Meta Update in all versions up to and including 1.1.15. This is due to a flawed authorization logic check in the userspn_ajax_nopriv_server() function within the 'userspn_form_save' case. The conditional only blocks unauthenticated users when the user_id is empty, but when a non-empty user_id is supplied, execution bypasses this check entirely and proceeds to update arbitrary user meta via update_user_meta() without any authentication or authorization verification. Additionally, the nonce required for this AJAX endpoint ('userspn-nonce') is exposed to all visitors via wp_localize_script on the public wp_enqueue_scripts hook, rendering the nonce check ineffective as a security control. This makes it possible for unauthenticated attackers to update arbitrary user metadata for any user account, including the userspn_secret_token field.

AnalysisAI

Arbitrary user metadata modification in Users Manager - PN plugin for WordPress (versions ≤1.1.15) allows unaneticated remote attackers to escalate privileges and hijack accounts. The vulnerability stems from flawed authorization logic in userspn_ajax_nopriv_server() that fails to verify authentication when user_id is supplied, combined with publicly exposed nonce values. Attackers can modify critical user metadata including userspn_secret_token for any WordPress user. CVSS 9.8 (Critical). EPSS data not available. No public exploit identified at time of analysis, but exploitation requires only HTTP requests with predictable parameters.

Technical ContextAI

This vulnerability affects the Users Manager - PN WordPress plugin (cpe:2.3:a:felixmartinez:users_manager_-_pn:*:*:*:*:*:*:*:*), specifically versions through 1.1.15. The root cause is CWE-862 (Missing Authorization), where the AJAX handler userspn_ajax_nopriv_server() implements a conditional check that only validates authentication when user_id is empty. When a non-empty user_id parameter is provided, the function bypasses authorization entirely and proceeds directly to update_user_meta(), WordPress's core function for modifying user metadata. Compounding this flaw, the plugin exposes the required AJAX nonce ('userspn-nonce') to all site visitors via wp_localize_script on the public wp_enqueue_scripts hook, defeating the intended CSRF protection. The vulnerability allows manipulation of arbitrary user meta keys, including security-sensitive fields like userspn_secret_token. The affected code resides in class-userspn-ajax-nopriv.php within the 'userspn_form_save' case handler, with related vulnerable patterns observable in class-userspn-common.php and class-userspn-functions-user.php.

RemediationAI

Immediately update Users Manager - PN plugin to version 1.1.16 or later, which addresses this vulnerability per the Wordfence advisory and plugin repository changeset 3491109. Site administrators should verify the update via WordPress admin dashboard (Plugins > Installed Plugins) or manually via FTP/SFTP by replacing the /wp-content/plugins/userspn/ directory with the patched version from wordpress.org. If immediate patching is not feasible, temporarily deactivate and delete the plugin until updates can be applied, as no effective workaround exists for unauthenticated exploitation. After patching, conduct a security audit to identify any suspicious user metadata modifications or unauthorized privilege escalations that may have occurred while the vulnerability was present. Review user accounts for unexpected role changes, metadata alterations, or newly created administrative accounts. The fix implements proper authentication and capability checks before allowing user metadata updates. Consult the complete vulnerability analysis at https://www.wordfence.com/threat-intel/vulnerabilities/id/27bb60c1-43fa-4a18-b9ca-059535b0d5b6 and monitor plugin repository changesets for implementation details.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

EUVD-2026-20043 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy