CVE-2026-4003: WordPress Users Manager PN Plugin Privilege Escalation (CVSS 9.8)

Executive Summary

A critical privilege escalation vulnerability (CVE-2026-4003, CVSS 9.8) has been discovered in the Users Manager – PN plugin for WordPress. The flaw affects all versions up to and including 1.1.15 and stems from a broken authorization logic check inside the userspn_ajax_nopriv_server() function when handling the userspn_form_save action.

Because the check is improperly implemented, any unauthenticated or low-privileged attacker can submit a crafted AJAX request to update the wp_capabilities or other critical user meta fields for any WordPress user account — effectively escalating privileges to administrator without valid credentials.

Site owners running the affected plugin should remove or update immediately.

Vulnerability Overview

Attribute	Value
CVE ID	CVE-2026-4003
CVSS Score	9.8 (Critical)
CWE	CWE-269 — Improper Privilege Management
Type	Privilege Escalation via Arbitrary User Meta Update
Attack Vector	Network
Privileges Required	None (unauthenticated)
User Interaction	None
Scope	Changed
Confidentiality Impact	High
Integrity Impact	High
Availability Impact	High
Patch Available	Check plugin repository for updated version

Affected Versions

Plugin	Affected Versions	Status
Users Manager – PN	<= 1.1.15	Vulnerable — update or remove

Technical Analysis

Root Cause

The plugin registers an unauthenticated AJAX handler via wp_ajax_nopriv_userspn_ajax_nopriv_server, which is accessible to all visitors without any login requirement. Within the userspn_form_save case of this handler, the plugin is designed to allow users to save profile-related data. However, the authorization logic that determines whose user meta can be written contains a critical flaw:

// Vulnerable pseudo-code — flawed condition
function userspn_ajax_nopriv_server() {
    $action = sanitize_text_field($_POST['userspn_action']);
 
    if ($action === 'userspn_form_save') {
        $user_id = intval($_POST['user_id']); // Attacker-controlled
        $meta_key = sanitize_text_field($_POST['meta_key']);
        $meta_value = $_POST['meta_value'];
 
        // FLAW: No ownership or capability check here
        update_user_meta($user_id, $meta_key, $meta_value);
        wp_send_json_success();
    }
}

Because $user_id, $meta_key, and $meta_value are all attacker-controlled and there is no check confirming the requester owns or has rights to modify the target account, an attacker can:

Submit any valid WordPress user ID (including 1 for the admin)
Specify wp_capabilities as the meta key
Set the meta value to a:1:{s:13:"administrator";b:1;} — the serialized representation of WordPress admin capability
Trigger instant privilege escalation to full administrator

Exploitation Conditions

Plugin Users Manager – PN version 1.1.15 or earlier must be installed and active
No credentials, tokens, or prior access required — fully unauthenticated
The target user's ID must be known or guessable (WordPress user ID 1 is the primary admin on nearly every installation)

Attack Flow

1. Attacker identifies a WordPress site running Users Manager – PN <= 1.1.15
2. Attacker sends unauthenticated POST request to wp-admin/admin-ajax.php:
   action=userspn_ajax_nopriv_server
   userspn_action=userspn_form_save
   user_id=1  (or any target user)
   meta_key=wp_capabilities
   meta_value=a:1:{s:13:"administrator";b:1;}
3. Plugin calls update_user_meta(1, 'wp_capabilities', ...) without any auth check
4. Attacker's account (if registered) or the victim account (user_id=1) now has full admin capabilities
5. Attacker logs in as admin (if own account was targeted) or resets admin password via WordPress

Impact Assessment

Impact Area	Description
Full Administrator Takeover	Any WordPress user — including the primary admin account — can have its capabilities overwritten
Site Defacement	Admin access enables unrestricted theme, plugin, and content modification
Persistent Backdoor	Attacker can create new admin accounts or install malicious plugins
Data Exfiltration	Access to all stored user PII, custom post types, and plugin data
Malware Injection	PHP file modification possible via plugin/theme editor or file manager
Hosting Pivot	On shared hosting, full WordPress control may extend to other hosted sites

Remediation

Step 1: Remove or Update the Plugin

Check the WordPress Plugin Repository for an updated version. If no patch is available:

# Via WP-CLI — deactivate and delete the plugin
wp plugin deactivate users-manager-pn
wp plugin delete users-manager-pn

Or deactivate through the WordPress admin panel: Plugins > Installed Plugins > Users Manager – PN > Deactivate > Delete.

Step 2: Audit for Existing Compromise

# List all users with administrator role — look for unexpected accounts
wp user list --role=administrator --fields=ID,user_login,user_email,user_registered
 
# Check for recently modified user meta (wp_capabilities changes)
wp db query "SELECT user_id, meta_key, meta_value, umeta_id FROM wp_usermeta WHERE meta_key='wp_capabilities' ORDER BY umeta_id DESC LIMIT 20;"
 
# Check for recently installed plugins (attacker persistence)
wp plugin list --status=active --format=table

Step 3: Harden and Reset

# Force password reset for all administrator accounts
wp user list --role=administrator --format=ids | xargs -I {} wp user update {} --user_pass="$(openssl rand -base64 24)"
 
# Regenerate WordPress authentication keys and salts
wp config shuffle-salts
 
# Invalidate all active sessions
wp db query "DELETE FROM wp_usermeta WHERE meta_key='session_tokens';"

Step 4: Deploy a Web Application Firewall

Block unauthenticated AJAX requests matching userspn_ajax_nopriv_server at the WAF level while the plugin is removed or patched. Wordfence, Sucuri, or Cloudflare with WordPress rulesets can help.

Detection Indicators

Indicator	Description
Unexpected administrator accounts	Newly created or promoted admin accounts
`wp_capabilities` meta changes in `wp_usermeta`	Core sign of privilege escalation attempt
AJAX POST requests to `admin-ajax.php` with `userspn_form_save`	Active exploitation attempt in access logs
Plugin/theme file modifications from unfamiliar sessions	Post-compromise backdoor activity
New plugin installations via admin panel	Attacker establishing persistence

Post-Remediation Checklist

Remove or update Users Manager – PN to a patched version
Audit all administrator accounts and remove unauthorized entries
Check wp_usermeta for unexpected wp_capabilities modifications
Reset all administrator passwords and regenerate WordPress secret keys
Invalidate all active sessions to force re-authentication
Scan for webshells and backdoors in wp-content/ directory
Review server access logs for evidence of prior exploitation via admin-ajax.php
Enable two-factor authentication on all administrator accounts
Deploy a WAF to block future unauthenticated AJAX abuse

References

Executive Summary

Site owners running the affected plugin should remove or update immediately.

Vulnerability Overview

Attribute	Value
CVE ID	CVE-2026-4003
CVSS Score	9.8 (Critical)
CWE	CWE-269 — Improper Privilege Management
Type	Privilege Escalation via Arbitrary User Meta Update
Attack Vector	Network
Privileges Required	None (unauthenticated)
User Interaction	None
Scope	Changed
Confidentiality Impact	High
Integrity Impact	High
Availability Impact	High
Patch Available	Check plugin repository for updated version

Affected Versions

Plugin	Affected Versions	Status
Users Manager – PN	<= 1.1.15	Vulnerable — update or remove

Technical Analysis

Root Cause

// Vulnerable pseudo-code — flawed condition
function userspn_ajax_nopriv_server() {
    $action = sanitize_text_field($_POST['userspn_action']);
 
    if ($action === 'userspn_form_save') {
        $user_id = intval($_POST['user_id']); // Attacker-controlled
        $meta_key = sanitize_text_field($_POST['meta_key']);
        $meta_value = $_POST['meta_value'];
 
        // FLAW: No ownership or capability check here
        update_user_meta($user_id, $meta_key, $meta_value);
        wp_send_json_success();
    }
}

Because $user_id, $meta_key, and $meta_value are all attacker-controlled and there is no check confirming the requester owns or has rights to modify the target account, an attacker can:

Submit any valid WordPress user ID (including 1 for the admin)
Specify wp_capabilities as the meta key
Set the meta value to a:1:{s:13:"administrator";b:1;} — the serialized representation of WordPress admin capability
Trigger instant privilege escalation to full administrator

Exploitation Conditions

Plugin Users Manager – PN version 1.1.15 or earlier must be installed and active
No credentials, tokens, or prior access required — fully unauthenticated
The target user's ID must be known or guessable (WordPress user ID 1 is the primary admin on nearly every installation)

Attack Flow

1. Attacker identifies a WordPress site running Users Manager – PN <= 1.1.15
2. Attacker sends unauthenticated POST request to wp-admin/admin-ajax.php:
   action=userspn_ajax_nopriv_server
   userspn_action=userspn_form_save
   user_id=1  (or any target user)
   meta_key=wp_capabilities
   meta_value=a:1:{s:13:"administrator";b:1;}
3. Plugin calls update_user_meta(1, 'wp_capabilities', ...) without any auth check
4. Attacker's account (if registered) or the victim account (user_id=1) now has full admin capabilities
5. Attacker logs in as admin (if own account was targeted) or resets admin password via WordPress

Impact Assessment

Impact Area	Description
Full Administrator Takeover	Any WordPress user — including the primary admin account — can have its capabilities overwritten
Site Defacement	Admin access enables unrestricted theme, plugin, and content modification
Persistent Backdoor	Attacker can create new admin accounts or install malicious plugins
Data Exfiltration	Access to all stored user PII, custom post types, and plugin data
Malware Injection	PHP file modification possible via plugin/theme editor or file manager
Hosting Pivot	On shared hosting, full WordPress control may extend to other hosted sites

Remediation

Step 1: Remove or Update the Plugin

Check the WordPress Plugin Repository for an updated version. If no patch is available:

# Via WP-CLI — deactivate and delete the plugin
wp plugin deactivate users-manager-pn
wp plugin delete users-manager-pn

Or deactivate through the WordPress admin panel: Plugins > Installed Plugins > Users Manager – PN > Deactivate > Delete.

Step 2: Audit for Existing Compromise

# List all users with administrator role — look for unexpected accounts
wp user list --role=administrator --fields=ID,user_login,user_email,user_registered
 
# Check for recently modified user meta (wp_capabilities changes)
wp db query "SELECT user_id, meta_key, meta_value, umeta_id FROM wp_usermeta WHERE meta_key='wp_capabilities' ORDER BY umeta_id DESC LIMIT 20;"
 
# Check for recently installed plugins (attacker persistence)
wp plugin list --status=active --format=table

Step 3: Harden and Reset

# Force password reset for all administrator accounts
wp user list --role=administrator --format=ids | xargs -I {} wp user update {} --user_pass="$(openssl rand -base64 24)"
 
# Regenerate WordPress authentication keys and salts
wp config shuffle-salts
 
# Invalidate all active sessions
wp db query "DELETE FROM wp_usermeta WHERE meta_key='session_tokens';"

Step 4: Deploy a Web Application Firewall

Block unauthenticated AJAX requests matching userspn_ajax_nopriv_server at the WAF level while the plugin is removed or patched. Wordfence, Sucuri, or Cloudflare with WordPress rulesets can help.

Detection Indicators

Indicator	Description
Unexpected administrator accounts	Newly created or promoted admin accounts
`wp_capabilities` meta changes in `wp_usermeta`	Core sign of privilege escalation attempt
AJAX POST requests to `admin-ajax.php` with `userspn_form_save`	Active exploitation attempt in access logs
Plugin/theme file modifications from unfamiliar sessions	Post-compromise backdoor activity
New plugin installations via admin panel	Attacker establishing persistence

Post-Remediation Checklist

Remove or update Users Manager – PN to a patched version
Audit all administrator accounts and remove unauthorized entries
Check wp_usermeta for unexpected wp_capabilities modifications
Reset all administrator passwords and regenerate WordPress secret keys
Invalidate all active sessions to force re-authentication
Scan for webshells and backdoors in wp-content/ directory
Review server access logs for evidence of prior exploitation via admin-ajax.php
Enable two-factor authentication on all administrator accounts
Deploy a WAF to block future unauthenticated AJAX abuse

Affected Products

Executive Summary

Vulnerability Overview

Affected Versions

Technical Analysis

Root Cause

Exploitation Conditions

Attack Flow

Impact Assessment

Remediation

Step 1: Remove or Update the Plugin

Step 2: Audit for Existing Compromise

Step 3: Harden and Reset

Step 4: Deploy a Web Application Firewall

Detection Indicators

Post-Remediation Checklist

References

Affected Products

Executive Summary

Vulnerability Overview

Affected Versions

Technical Analysis

Root Cause

Exploitation Conditions

Attack Flow

Impact Assessment

Remediation

Step 1: Remove or Update the Plugin

Step 2: Audit for Existing Compromise

Step 3: Harden and Reset

Step 4: Deploy a Web Application Firewall

Detection Indicators

Post-Remediation Checklist

References