Plataforma
wordpress
Componente
userspn
Corrigido em
1.1.16
1.1.20
CVE-2026-4003 represents a critical Privilege Escalation vulnerability affecting the Users manager – PN plugin for WordPress. This flaw allows attackers to bypass authorization checks and arbitrarily modify user metadata, potentially leading to unauthorized access and control. The vulnerability impacts versions up to 1.1.15, but a fix is available in version 1.1.20, released on April 7, 2026.
The impact of CVE-2026-4003 is severe. An attacker exploiting this vulnerability can bypass authentication and authorization mechanisms to update arbitrary user metadata. This includes sensitive information like user roles, email addresses, and other profile details. Successful exploitation could grant an attacker administrative privileges, enabling them to compromise the entire WordPress site, install malicious code, steal data, or deface the website. The lack of proper authorization checks makes this a high-risk vulnerability, potentially leading to a complete takeover of the affected WordPress instance. This is similar in impact to vulnerabilities that allow arbitrary user creation with admin privileges.
CVE-2026-4003 was published on April 7, 2026. Its severity is pending further evaluation, but the CVSS score of 9.8 (CRITICAL) indicates a high probability of exploitation. Public proof-of-concept (POC) code is likely to emerge given the vulnerability's ease of exploitation and the plugin's popularity. Monitor security advisories from WordPress and the plugin developer for updates and potential active exploitation campaigns.
Status do Exploit
EPSS
0.51% (percentil 66%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2026-4003 is to immediately upgrade the Users manager – PN plugin to version 1.1.20 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. While a direct WAF rule is difficult to implement due to the plugin's internal logic, restricting access to the userspnajaxnopriv_server() endpoint could offer some limited protection. Thoroughly test any configuration changes in a staging environment before applying them to production. After upgrading, confirm the fix by attempting to update user metadata with a non-authenticated user; the update should be rejected.
Update to version 1.1.20, or a newer patched version
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-4003 is a critical vulnerability in the Users manager – PN WordPress plugin allowing attackers to escalate privileges by arbitrarily updating user metadata due to flawed authorization checks.
You are affected if you are using the Users manager – PN plugin in WordPress versions 1.1.15 or earlier. Check your plugin version immediately.
Upgrade the Users manager – PN plugin to version 1.1.20 or later to resolve this vulnerability. Test the upgrade in a staging environment first.
While no active exploitation has been confirmed, the high CVSS score and ease of exploitation suggest a high probability of exploitation. Monitor security advisories and logs.
Refer to the official Users manager – PN plugin website or WordPress plugin repository for the latest security advisory and update information.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.