CVE-2026-3629 in Import and Export Users and Customers Plugin
Summary
by MITRE • 03/22/2026
The Import and export users and customers plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.29.7. This is due to the 'save_extra_user_profile_fields' function not properly restricting which user meta keys can be updated via profile fields. The 'get_restricted_fields' method does not include sensitive meta keys such as 'wp_capabilities'. This makes it possible for unauthenticated attackers to escalate their privileges to Administrator by submitting a crafted registration request that sets the 'wp_capabilities' meta key. The vulnerability can only be exploited if the "Show fields in profile" setting is enabled and a CSV with a wp_capabilities column header has been previously imported.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/22/2026
The vulnerability described in CVE-2026-3629 represents a critical privilege escalation flaw within the Import and export users and customers plugin for WordPress, affecting all versions up to and including 1.29.7. This issue stems from inadequate input validation and access control mechanisms within the plugin's user profile handling functionality, creating a pathway for unauthorized privilege elevation that could compromise entire WordPress installations. The vulnerability specifically targets the plugin's handling of user meta data during profile updates, where the security controls fail to properly validate which meta keys can be modified through user-facing interfaces.
The technical flaw manifests in the 'save_extra_user_profile_fields' function which lacks proper sanitization and authorization checks for user meta key modifications. The 'get_restricted_fields' method fails to include critical meta keys such as 'wp_capabilities' in its restricted list, allowing attackers to manipulate these sensitive fields through crafted profile submissions. This oversight creates a direct vector for privilege escalation since the 'wp_capabilities' meta key directly controls user permissions within WordPress's capability-based access control system. The vulnerability requires specific preconditions to be exploitable, including the "Show fields in profile" setting being enabled and a prior CSV import containing a 'wp_capabilities' column header, which together create the necessary attack surface for successful exploitation.
The operational impact of this vulnerability is severe as it allows unauthenticated attackers to escalate their privileges to administrator level without requiring valid credentials or prior access to the system. This privilege escalation capability transforms a potential user registration attack into a full system compromise, enabling attackers to modify all aspects of the WordPress installation including plugin management, theme customization, content creation, and user management. The vulnerability's exploitation requires minimal user interaction beyond the initial registration process, making it particularly dangerous in environments where user registration is enabled and accessible to unauthenticated users. The requirement for a prior CSV import with specific column headers suggests that this vulnerability may be more prevalent in environments where bulk user management operations have been performed, increasing the attack surface for organizations with established user import workflows.
Mitigation strategies should focus on immediate plugin updates to versions that address the privilege escalation vulnerability, as well as implementing additional security controls such as disabling user registration for untrusted users, reviewing and restricting profile field visibility settings, and monitoring for unauthorized user meta key modifications. Organizations should also consider implementing web application firewalls with rules specifically designed to detect and block attempts to manipulate sensitive user capability fields, and conduct thorough security assessments of all user management plugins to identify similar privilege escalation vulnerabilities. The vulnerability aligns with CWE-264, which addresses permissions, privileges, and access controls, and represents a significant risk in the ATT&CK framework under privilege escalation techniques, specifically targeting the 'Valid Accounts' and 'T1078' sub-techniques that involve using legitimate credentials to gain higher privileges within a system.