CVE-2026-3629: WordPress User Import Plugin Privilege Escalation
A privilege escalation vulnerability has been disclosed in the popular Import and export users and customers plugin for WordPress, tracked as CVE-2026-3629 with a CVSS score of 8.1 (High). All plugin versions up to and including 1.29.7 are affected. The flaw allows an authenticated low-privileged user — such as a subscriber — to elevate their role to site administrator without any additional authorization checks.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-3629 |
| CVSS Score | 8.1 (High) |
| CWE Classification | CWE-269 — Improper Privilege Management |
| Affected Plugin | Import and export users and customers (WordPress) |
| Affected Versions | All versions up to and including 1.29.7 |
| Attack Vector | Authenticated (Subscriber-level or higher) |
| In-the-Wild Exploitation | Not confirmed at time of disclosure |
| Published | March 21, 2026 |
Technical Analysis
The vulnerability resides in the save_extra_user_profile_fields function within the plugin. This function is responsible for saving custom fields associated with a user's profile during updates. The core issue is that the function fails to restrict which WordPress user meta keys may be updated through the profile field inputs it processes.
WordPress stores user roles internally as a serialized entry in the wp_usermeta table under the wp_capabilities meta key. Because save_extra_user_profile_fields does not validate or blocklist sensitive meta keys, an authenticated user can craft a profile update request that writes directly to the wp_capabilities meta entry — overriding their current role assignment with any role of their choosing, including administrator.
Exploitation Path
1. Attacker registers or holds a low-privilege WordPress account (e.g., Subscriber)
2. Attacker crafts an HTTP POST request to the profile update endpoint,
injecting the wp_capabilities meta key into the request body:
wp_capabilities[administrator] = 1
3. The plugin's save_extra_user_profile_fields function processes the
request without filtering sensitive meta keys
4. WordPress writes the attacker-controlled value to the wp_usermeta table,
granting the attacker Administrator role
5. Attacker now has full administrative access to the WordPress siteScope and Prevalence
The Import and export users and customers plugin is a widely used WordPress tool for bulk user management — importing users via CSV, exporting user lists, and synchronizing user data between systems. Its install base spans e-commerce operations, membership sites, educational platforms, and enterprise WordPress deployments.
Sites with open user registration enabled face the highest risk, as external attackers can self-register and then immediately exploit the vulnerability to escalate to administrator.
Remediation
Primary Fix: Update the Plugin
Update to a patched version of the plugin immediately:
# Via WP-CLI
wp plugin update import-users-from-csv-with-meta
# Verify installed version
wp plugin get import-users-from-csv-with-meta --field=versionOr update via WordPress Admin > Plugins > Installed Plugins > Import and export users and customers > Update Now.
Interim Mitigations (Pre-Patch)
If an immediate update is not possible:
- Disable open user registration — go to WordPress Admin > Settings > General > uncheck "Anyone can register"
- Deactivate the plugin until a patched version is available if user registration cannot be restricted
- Audit existing user accounts for unexpected administrator role assignments
- Deploy a WordPress WAF (Wordfence, Sucuri) with rules targeting meta key manipulation in profile updates
Detection
Identify potentially compromised accounts or active exploitation attempts:
# List all current administrator accounts via WP-CLI
wp user list --role=administrator --format=table
# Check for recently modified user capabilities
wp db query "SELECT user_id, meta_value FROM wp_usermeta WHERE meta_key='wp_capabilities' ORDER BY umeta_id DESC LIMIT 50;"
# Review server logs for profile update POSTs containing capabilities
grep "wp-login.php\|wp-admin/profile.php" /var/log/nginx/access.log | grep "POST"Unexpected administrator accounts that were not manually provisioned should be investigated as potential indicators of exploitation.
Impact Assessment
| Impact Area | Description |
|---|---|
| Full Site Takeover | Administrator access enables complete control over WordPress |
| Code Execution | Admins can install plugins or modify themes to execute server-side code |
| Data Access | Full access to user PII, order data, and content |
| Persistence | Attacker-created admin accounts survive plugin removal |
| Attack Barrier | Requires at least subscriber-level account; open registration sites are most exposed |
Key Takeaways
- CVE-2026-3629 is a CVSS 8.1 High privilege escalation in the WordPress Import and export users plugin (≤ 1.29.7)
- The
save_extra_user_profile_fieldsfunction allows authenticated users to overwrite thewp_capabilitiesmeta key, granting themselves any role including administrator - Sites with open user registration are at highest risk — external attackers can self-register and immediately escalate
- Update the plugin immediately to a patched version; audit existing admin accounts for unexpected entries
- No confirmed in-the-wild exploitation was reported at the time of NVD disclosure on March 21, 2026