LeakyCreds
NewInstant webhook alerts now available — notified within seconds of any credential detection.Learn more →
Home / Vulnerability Intelligence / CVE-2026-3629

CVE-2026-3629 - Vulnerability Analysis

HighCVSS: 8.1

Last Updated: March 23, 2026

WordPress Import and export users and customers - Privilege Escalation

Published: March 21, 2026Updated: March 23, 2026Remote Exploitable

Overview

WordPress Import and export users and customers plugin <= 1.29.7 contains a privilege escalation caused by improper restriction of user meta keys in 'save_extra_user_profile_fields', letting unauthenticated attackers escalate privileges to Administrator via crafted registration, exploit requires 'Show fields in profile' enabled and prior CSV import with wp_capabilities column.

Severity & Score

Severity: High
CVSS Score: 8.1
EPSS Score: 4.4%(Probability of exploitation in next 30 days)

Impact

Unauthenticated attackers can escalate privileges to Administrator, compromising site control and security.

Mitigation

Update to the latest version beyond 1.29.7.

References

Social Media Activity(2 posts)

Offensive Sequence
Offensive Sequence
@offseq
Mar 22, 2026

⚠️ CVE-2026-3629: HIGH severity in carazo's 'Import and export users and customers' WP plugin (≤1.29.7). Privilege escalation to admin possible if 'Show fields in profile' is on and CSV with 'wp_capabilities' imported. Mitigate now! https://radar.offseq.com/threat/cve-2026-3629-cwe-269-improper-privilege-managemen-61196a39 #OffSeq #WordPress #Infosec

View original post
TheHackerWire
TheHackerWire
@thehackerwire
Mar 21, 2026

🟠 CVE-2026-3629 - High (8.1) The Import and export users and customers plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.29.7. This is due to the 'save_extra_user_profile_fields' function not properly restricting which user met... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-3629/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID
CVE-2026-3629
Severity
High
CVSS Score
8.1
Type
broken_access_control
Status
unconfirmed
EPSS
4.4%
Social Posts
2

CWE

  • CWE-269

CVSS Metrics

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

4.4%Probability of exploitation in the next 30 days