Platform
wordpress
Component
userspn
Opgelost in
1.1.16
1.1.20
CVE-2026-4003 represents a critical Privilege Escalation vulnerability affecting the Users manager – PN plugin for WordPress. This flaw allows attackers to bypass authorization checks and arbitrarily modify user metadata, potentially leading to unauthorized access and control. The vulnerability impacts versions up to 1.1.15, but a fix is available in version 1.1.20, released on April 7, 2026.
The impact of CVE-2026-4003 is severe. An attacker exploiting this vulnerability can bypass authentication and authorization mechanisms to update arbitrary user metadata. This includes sensitive information like user roles, email addresses, and other profile details. Successful exploitation could grant an attacker administrative privileges, enabling them to compromise the entire WordPress site, install malicious code, steal data, or deface the website. The lack of proper authorization checks makes this a high-risk vulnerability, potentially leading to a complete takeover of the affected WordPress instance. This is similar in impact to vulnerabilities that allow arbitrary user creation with admin privileges.
CVE-2026-4003 was published on April 7, 2026. Its severity is pending further evaluation, but the CVSS score of 9.8 (CRITICAL) indicates a high probability of exploitation. Public proof-of-concept (POC) code is likely to emerge given the vulnerability's ease of exploitation and the plugin's popularity. Monitor security advisories from WordPress and the plugin developer for updates and potential active exploitation campaigns.
Exploit Status
EPSS
0.51% (66% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2026-4003 is to immediately upgrade the Users manager – PN plugin to version 1.1.20 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. While a direct WAF rule is difficult to implement due to the plugin's internal logic, restricting access to the userspnajaxnopriv_server() endpoint could offer some limited protection. Thoroughly test any configuration changes in a staging environment before applying them to production. After upgrading, confirm the fix by attempting to update user metadata with a non-authenticated user; the update should be rejected.
Update naar versie 1.1.20, of een nieuwere gepatchte versie
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-4003 is a critical vulnerability in the Users manager – PN WordPress plugin allowing attackers to escalate privileges by arbitrarily updating user metadata due to flawed authorization checks.
You are affected if you are using the Users manager – PN plugin in WordPress versions 1.1.15 or earlier. Check your plugin version immediately.
Upgrade the Users manager – PN plugin to version 1.1.20 or later to resolve this vulnerability. Test the upgrade in a staging environment first.
While no active exploitation has been confirmed, the high CVSS score and ease of exploitation suggest a high probability of exploitation. Monitor security advisories and logs.
Refer to the official Users manager – PN plugin website or WordPress plugin repository for the latest security advisory and update information.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.