CVE-2026-3629 in Import and Export Users and Customers Plugin정보

요약

\~에 의해 MITRE • 2026. 03. 22.

The Import and export users and customers plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.29.7. This is due to the 'save_extra_user_profile_fields' function not properly restricting which user meta keys can be updated via profile fields. The 'get_restricted_fields' method does not include sensitive meta keys such as 'wp_capabilities'. This makes it possible for unauthenticated attackers to escalate their privileges to Administrator by submitting a crafted registration request that sets the 'wp_capabilities' meta key. The vulnerability can only be exploited if the "Show fields in profile" setting is enabled and a CSV with a wp_capabilities column header has been previously imported.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

책임이 있는

Wordfence

예약하다

2026. 03. 06.

공개

2026. 03. 22.

모더레이션

수락

항목

VDB-352386

CPE

준비됨

CWE

CWE-269 (확인됨)

CVSS

8.1 (CNA)

EPSS

0.00032

KEV

아니요

활동

매우 낮음

부문

Hostingprovider

출처

MITRE	https://www.cve.org/CVERecord?id=CVE-2026-3629
NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-3629
CVE Details	https://www.cvedetails.com/cve/CVE-2026-3629/

◂ 이전 개요 다음 ▸

Do you want to use VulDB in your project?

Use the official API to access entries easily!