{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4003", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-11T18:52:48.888Z", "datePublished": "2026-04-08T03:36:08.200Z", "dateUpdated": "2026-04-08T16:42:58.430Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:42:58.430Z"}, "affected": [{"vendor": "felixmartinez", "product": "Users manager \u2013 PN", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.1.15", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Users manager \u2013 PN plugin for WordPress is vulnerable to Privilege Escalation via Arbitrary User Meta Update in all versions up to and including 1.1.15. This is due to a flawed authorization logic check in the userspn_ajax_nopriv_server() function within the 'userspn_form_save' case. The conditional only blocks unauthenticated users when the user_id is empty, but when a non-empty user_id is supplied, execution bypasses this check entirely and proceeds to update arbitrary user meta via update_user_meta() without any authentication or authorization verification. Additionally, the nonce required for this AJAX endpoint ('userspn-nonce') is exposed to all visitors via wp_localize_script on the public wp_enqueue_scripts hook, rendering the nonce check ineffective as a security control. This makes it possible for unauthenticated attackers to update arbitrary user metadata for any user account, including the userspn_secret_token field."}], "title": "Users manager \u2013 PN <= 1.1.15 - Unauthenticated Privilege Escalation via Account Takeover via 'userspn_form_save' AJAX Action", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/27bb60c1-43fa-4a18-b9ca-059535b0d5b6?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/userspn/trunk/includes/class-userspn-ajax-nopriv.php#L233"}, {"url": "https://plugins.trac.wordpress.org/browser/userspn/tags/1.0.31/includes/class-userspn-ajax-nopriv.php#L233"}, {"url": "https://plugins.trac.wordpress.org/browser/userspn/trunk/includes/class-userspn-ajax-nopriv.php#L186"}, {"url": "https://plugins.trac.wordpress.org/browser/userspn/tags/1.0.31/includes/class-userspn-ajax-nopriv.php#L186"}, {"url": "https://plugins.trac.wordpress.org/browser/userspn/trunk/includes/class-userspn-ajax-nopriv.php#L190"}, {"url": "https://plugins.trac.wordpress.org/browser/userspn/tags/1.0.31/includes/class-userspn-ajax-nopriv.php#L190"}, {"url": "https://plugins.trac.wordpress.org/browser/userspn/trunk/includes/class-userspn-common.php#L168"}, {"url": "https://plugins.trac.wordpress.org/browser/userspn/tags/1.0.31/includes/class-userspn-common.php#L168"}, {"url": "https://plugins.trac.wordpress.org/browser/userspn/trunk/includes/class-userspn-functions-user.php#L235"}, {"url": "https://plugins.trac.wordpress.org/browser/userspn/tags/1.0.31/includes/class-userspn-functions-user.php#L235"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3491109%40userspn&new=3491109%40userspn&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}], "credits": [{"lang": "en", "type": "finder", "value": "HA GIA BAO"}], "timeline": [{"time": "2026-03-12T22:34:37.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-07T15:32:12.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T14:48:48.869485Z", "id": "CVE-2026-4003", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T16:14:10.743Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4003", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-08T14:48:48.869485Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T14:48:56.116Z"}}], "cna": {"title": "Users manager \u2013 PN <= 1.1.15 - Unauthenticated Privilege Escalation via Account Takeover via 'userspn_form_save' AJAX Action", "credits": [{"lang": "en", "type": "finder", "value": "HA GIA BAO"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "felixmartinez", "product": "Users manager \u2013 PN", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.1.15"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-12T22:34:37.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-04-07T15:32:12.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/27bb60c1-43fa-4a18-b9ca-059535b0d5b6?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/userspn/trunk/includes/class-userspn-ajax-nopriv.php#L233"}, {"url": "https://plugins.trac.wordpress.org/browser/userspn/tags/1.0.31/includes/class-userspn-ajax-nopriv.php#L233"}, {"url": "https://plugins.trac.wordpress.org/browser/userspn/trunk/includes/class-userspn-ajax-nopriv.php#L186"}, {"url": "https://plugins.trac.wordpress.org/browser/userspn/tags/1.0.31/includes/class-userspn-ajax-nopriv.php#L186"}, {"url": "https://plugins.trac.wordpress.org/browser/userspn/trunk/includes/class-userspn-ajax-nopriv.php#L190"}, {"url": "https://plugins.trac.wordpress.org/browser/userspn/tags/1.0.31/includes/class-userspn-ajax-nopriv.php#L190"}, {"url": "https://plugins.trac.wordpress.org/browser/userspn/trunk/includes/class-userspn-common.php#L168"}, {"url": "https://plugins.trac.wordpress.org/browser/userspn/tags/1.0.31/includes/class-userspn-common.php#L168"}, {"url": "https://plugins.trac.wordpress.org/browser/userspn/trunk/includes/class-userspn-functions-user.php#L235"}, {"url": "https://plugins.trac.wordpress.org/browser/userspn/tags/1.0.31/includes/class-userspn-functions-user.php#L235"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3491109%40userspn&new=3491109%40userspn&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Users manager \u2013 PN plugin for WordPress is vulnerable to Privilege Escalation via Arbitrary User Meta Update in all versions up to and including 1.1.15. This is due to a flawed authorization logic check in the userspn_ajax_nopriv_server() function within the 'userspn_form_save' case. The conditional only blocks unauthenticated users when the user_id is empty, but when a non-empty user_id is supplied, execution bypasses this check entirely and proceeds to update arbitrary user meta via update_user_meta() without any authentication or authorization verification. Additionally, the nonce required for this AJAX endpoint ('userspn-nonce') is exposed to all visitors via wp_localize_script on the public wp_enqueue_scripts hook, rendering the nonce check ineffective as a security control. This makes it possible for unauthenticated attackers to update arbitrary user metadata for any user account, including the userspn_secret_token field."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:42:58.430Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4003", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:42:58.430Z", "dateReserved": "2026-03-11T18:52:48.888Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-08T03:36:08.200Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Users manager \u2013 PN plugin for WordPress is vulnerable to Privilege Escalation via Arbitrary User Meta Update in all versions up to and including 1.1.15. This is due to a flawed authorization logic check in the userspn_ajax_nopriv_server() function within the 'userspn_form_save' case. The conditional only blocks unauthenticated users when the user_id is empty, but when a non-empty user_id is supplied, execution bypasses this check entirely and proceeds to update arbitrary user meta via update_user_meta() without any authentication or authorization verification. Additionally, the nonce required for this AJAX endpoint ('userspn-nonce') is exposed to all visitors via wp_localize_script on the public wp_enqueue_scripts hook, rendering the nonce check ineffective as a security control. This makes it possible for unauthenticated attackers to update arbitrary user metadata for any user account, including the userspn_secret_token field."}], "id": "CVE-2026-4003", "lastModified": "2026-04-27T19:04:22.650", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-08T05:16:06.347", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/userspn/tags/1.0.31/includes/class-userspn-ajax-nopriv.php#L186"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/userspn/tags/1.0.31/includes/class-userspn-ajax-nopriv.php#L190"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/userspn/tags/1.0.31/includes/class-userspn-ajax-nopriv.php#L233"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/userspn/tags/1.0.31/includes/class-userspn-common.php#L168"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/userspn/tags/1.0.31/includes/class-userspn-functions-user.php#L235"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/userspn/trunk/includes/class-userspn-ajax-nopriv.php#L186"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/userspn/trunk/includes/class-userspn-ajax-nopriv.php#L190"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/userspn/trunk/includes/class-userspn-ajax-nopriv.php#L233"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/userspn/trunk/includes/class-userspn-common.php#L168"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/userspn/trunk/includes/class-userspn-functions-user.php#L235"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3491109%40userspn&new=3491109%40userspn&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/27bb60c1-43fa-4a18-b9ca-059535b0d5b6?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.1.15]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Users manager \u2013 PN", "source": "cna", "vendor": "felixmartinez"}, "product": "users_manager_\u2013_pn", "vendor": "felixmartinez"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T05:22:59.046892+00:00", "value": {"mitigation_remediation": ["Update the Users manager \u2013 PN plugin to the newest available version, which removes the flawed authorisation check and properly protects the AJAX endpoint.", "If an update is not immediately possible, add code to the site or use a security plugin to block the 'userspn_form_save' AJAX action for unauthenticated users, for example by hooking into wp_ajax_nopriv_userspn_form_save and returning an error.", "Verify that the nonce is no longer exposed publicly by reviewing the wp_localize_script calls on the frontend.", "After applying the fix, test that non\u2011registered visitors can no longer modify user meta for existing accounts.", "Continuously monitor the WordPress security advisories for the plugin and keep all other plugins, themes, and core WordPress updated."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation: Account Takeover"}, "threat_synthesis": {"affected_systems": "This flaw affects all installations of the Users manager \u2013 PN plugin by felixmartinez with version 1.1.15 or earlier on any WordPress site that has the plugin activated.", "description_and_impact": "The Users manager \u2013 PN WordPress plugin allows an attacker who is not logged in to call the AJAX endpoint 'userspn_form_save' and supply a non\u2011empty user_id. Because the plugin\u2019s authorization logic only blocks requests when user_id is empty, it bypasses the check and updates arbitrary user meta via update_user_meta() even for locked user accounts. The required nonce is publicly exposed, rendering it useless. Attacker can change any meta field, including userspn_secret_token, effectively assuming control of an arbitrary user account.", "risk_and_exploitability": "With a CVSS score of 9.8, this vulnerability is considered critical. The lack of authentication or authorization checks means the attacker can exploit it from any web\u2011connected device simply by sending a crafted HTTP request to the exposed AJAX endpoint, provided they have the public nonce. The EPSS score is not published, and the issue is not listed in CISA\u2019s KEV catalog, but the ease of exploitation and lack of mitigation make it a high\u2011risk asset. Adversaries likely would use automated scripts or malicious JS to submit the request and obtain a new token for the target account."}}}}, "created": "2026-04-08T19:33:27.930573+00:00", "updated": "2026-04-08T19:44:05.193899+00:00", "vendors": ["felixmartinez", "felixmartinez$PRODUCT$users_manager_\u2013_pn", "wordpress", "wordpress$PRODUCT$wordpress"]}