{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4261", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-16T11:35:10.072Z", "datePublished": "2026-03-21T03:27:07.246Z", "dateUpdated": "2026-04-08T17:26:22.446Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:26:22.446Z"}, "affected": [{"vendor": "husobj", "product": "Expire Users", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.2.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Expire Users plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.2.2. This is due to the plugin allowing a user to update the 'on_expire_default_to_role' meta through the 'save_extra_user_profile_fields' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to that of an administrator."}], "title": "Expire Users <= 1.2.2 - Authenticated (Subscriber+) Privilege Escalation to Administrator via save_extra_user_profile_fields", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d676700b-8c53-4e09-a654-767810b5a775?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/expire-users/tags/1.2.2/admin/expire-user.php#L163"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Hunter Jensen"}], "timeline": [{"time": "2026-03-20T14:37:35.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T16:26:14.791712Z", "id": "CVE-2026-4261", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T16:26:23.294Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4261", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-23T16:26:14.791712Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T16:26:19.890Z"}}], "cna": {"title": "Expire Users <= 1.2.2 - Authenticated (Subscriber+) Privilege Escalation to Administrator via save_extra_user_profile_fields", "credits": [{"lang": "en", "type": "finder", "value": "Hunter Jensen"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "husobj", "product": "Expire Users", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.2.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-20T14:37:35.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d676700b-8c53-4e09-a654-767810b5a775?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/expire-users/tags/1.2.2/admin/expire-user.php#L163"}], "descriptions": [{"lang": "en", "value": "The Expire Users plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.2.2. This is due to the plugin allowing a user to update the 'on_expire_default_to_role' meta through the 'save_extra_user_profile_fields' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to that of an administrator."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:26:22.446Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4261", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:26:22.446Z", "dateReserved": "2026-03-16T11:35:10.072Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-21T03:27:07.246Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Expire Users plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.2.2. This is due to the plugin allowing a user to update the 'on_expire_default_to_role' meta through the 'save_extra_user_profile_fields' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to that of an administrator."}, {"lang": "es", "value": "El plugin Expire Users para WordPress es vulnerable a escalada de privilegios en todas las versiones hasta la 1.2.2, inclusive. Esto se debe a que el plugin permite a un usuario actualizar el meta 'on_expire_default_to_role' a trav\u00e9s de la funci\u00f3n 'save_extra_user_profile_fields'. Esto hace posible que atacantes autenticados, con acceso de nivel Suscriptor y superior, eleven sus privilegios al de un administrador."}], "id": "CVE-2026-4261", "lastModified": "2026-04-24T16:27:44.277", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-21T04:17:44.223", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/expire-users/tags/1.2.2/admin/expire-user.php#L163"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d676700b-8c53-4e09-a654-767810b5a775?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.2.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Expire Users", "source": "cna", "vendor": "husobj"}, "product": "expire_users", "vendor": "husobj"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-21T07:11:20.384902+00:00", "value": {"mitigation_remediation": ["Upgrade the Expire Users plugin to a version newer than 1.2.2."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "WordPress sites that install the Expire Users plugin, versions 1.2.2 and earlier, provided by the vendor husobj. Users of any WordPress installation where this plugin is active and enabled are at risk, regardless of other plugins or themes in use.", "description_and_impact": "The Expire Users plugin for WordPress has a flaw that allows any authenticated user with the role of Subscriber or higher to manipulate the 'on_expire_default_to_role' meta field through the save_extra_user_profile_fields function. By updating this field, an attacker can grant themselves administrator privileges, effectively compromising the entire site. This vulnerability directly affects confidentiality, integrity, and availability by enabling a non\u2011admin user to gain full control over the WordPress installation.", "risk_and_exploitability": "The CVSS score of 8.8 indicates a high severity, and because the exploit requires only authentication with a role of Subscriber or above, it is highly likely to be used in the wild. No EPSS data is available and the vulnerability is not listed in the CISA KEV catalog. The attack vector is straightforward: an authenticated user logs in, accesses the user profile edit page, and submits a payload to change the meta field, granting themselves administrator rights."}}}}, "created": "2026-03-23T09:49:54.954720+00:00", "updated": "2026-03-25T14:41:34.590911+00:00", "vendors": ["husobj", "husobj$PRODUCT$expire_users", "wordpress", "wordpress$PRODUCT$wordpress"]}