CVE-2026-4003 - Vulnerability Analysis

Overview

Users manager – PN WordPress plugin <= 1.1.15 contains a privilege escalation caused by flawed authorization logic in userspn_ajax_nopriv_server() allowing unauthenticated attackers to update arbitrary user meta, exploit requires no authentication.

Severity & Score

Impact

Unauthenticated attackers can update arbitrary user metadata, potentially escalating privileges or compromising user accounts.

Mitigation

Update to the latest version beyond 1.1.15.

References

• https://plugins.trac.wordpress.org/browser/userspn/tags/1.0.31/includes/class-userspn-ajax-nopriv.php#L190
• https://plugins.trac.wordpress.org/browser/userspn/tags/1.0.31/includes/class-userspn-functions-user.php#L235
• https://plugins.trac.wordpress.org/browser/userspn/trunk/includes/class-userspn-common.php#L168
• https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3491109%40userspn&new=3491109%40userspn&sfp_email=&sfph_mail=
• https://plugins.trac.wordpress.org/browser/userspn/tags/1.0.31/includes/class-userspn-ajax-nopriv.php#L186
• https://plugins.trac.wordpress.org/browser/userspn/tags/1.0.31/includes/class-userspn-ajax-nopriv.php#L233
• https://plugins.trac.wordpress.org/browser/userspn/tags/1.0.31/includes/class-userspn-common.php#L168
• https://plugins.trac.wordpress.org/browser/userspn/trunk/includes/class-userspn-ajax-nopriv.php#L186
• https://plugins.trac.wordpress.org/browser/userspn/trunk/includes/class-userspn-ajax-nopriv.php#L190
• https://plugins.trac.wordpress.org/browser/userspn/trunk/includes/class-userspn-ajax-nopriv.php#L233
• https://plugins.trac.wordpress.org/browser/userspn/trunk/includes/class-userspn-functions-user.php#L235
• https://www.wordfence.com/threat-intel/vulnerabilities/id/27bb60c1-43fa-4a18-b9ca-059535b0d5b6?source=cve

Related Resources

• Vulnerability Intelligence Dashboard
• Credential Scanner