CVE-2026-3629 (GCVE-0-2026-3629)

Vulnerability from cvelistv5 – Published: 2026-03-21 22:24 – Updated: 2026-04-08 16:50
VLAI?
Title
Import and export users and customers <= 1.29.7 - Privilege Escalation to Administrator via save_extra_user_profile_fields
Summary
The Import and export users and customers plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.29.7. This is due to the 'save_extra_user_profile_fields' function not properly restricting which user meta keys can be updated via profile fields. The 'get_restricted_fields' method does not include sensitive meta keys such as 'wp_capabilities'. This makes it possible for unauthenticated attackers to escalate their privileges to Administrator by submitting a crafted registration request that sets the 'wp_capabilities' meta key. The vulnerability can only be exploited if the "Show fields in profile" setting is enabled and a CSV with a wp_capabilities column header has been previously imported.
Severity ?
8.1 (High)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE
  • CWE-269 - Improper Privilege Management
Assigner
References
Impacted products
Vendor Product Version
carazo Import and export users and customers Affected: 0 , ≤ 1.29.7 (semver)
Create a notification for this product.
Credits
Supanat Konprom
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-3629",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-23T16:13:14.147293Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-23T16:13:28.413Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Import and export users and customers",
          "vendor": "carazo",
          "versions": [
            {
              "lessThanOrEqual": "1.29.7",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Supanat Konprom"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Import and export users and customers plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.29.7. This is due to the \u0027save_extra_user_profile_fields\u0027 function not properly restricting which user meta keys can be updated via profile fields. The \u0027get_restricted_fields\u0027 method does not include sensitive meta keys such as \u0027wp_capabilities\u0027. This makes it possible for unauthenticated attackers to escalate their privileges to Administrator by submitting a crafted registration request that sets the \u0027wp_capabilities\u0027 meta key. The vulnerability can only be exploited if the \"Show fields in profile\" setting is enabled and a CSV with a wp_capabilities column header has been previously imported."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-269",
              "description": "CWE-269 Improper Privilege Management",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T16:50:18.319Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/48dd9098-38e6-49da-8d22-27e12fddef51?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/tags/1.29.7/classes/columns.php#L193"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/tags/1.29.7/classes/columns.php#L217"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/tags/1.29.7/classes/helper.php#L146"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset/3483330/import-users-from-csv-with-meta#file37"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-03-13T23:17:27.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2026-03-21T10:03:40.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "Import and export users and customers \u003c= 1.29.7 - Privilege Escalation to Administrator via save_extra_user_profile_fields"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-3629",
    "datePublished": "2026-03-21T22:24:17.648Z",
    "dateReserved": "2026-03-06T05:47:33.801Z",
    "dateUpdated": "2026-04-08T16:50:18.319Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-3629",
      "date": "2026-05-04",
      "epss": "0.00084",
      "percentile": "0.2414"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-3629\",\"sourceIdentifier\":\"security@wordfence.com\",\"published\":\"2026-03-21T23:16:51.393\",\"lastModified\":\"2026-04-24T16:31:14.807\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The Import and export users and customers plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.29.7. This is due to the \u0027save_extra_user_profile_fields\u0027 function not properly restricting which user meta keys can be updated via profile fields. The \u0027get_restricted_fields\u0027 method does not include sensitive meta keys such as \u0027wp_capabilities\u0027. This makes it possible for unauthenticated attackers to escalate their privileges to Administrator by submitting a crafted registration request that sets the \u0027wp_capabilities\u0027 meta key. The vulnerability can only be exploited if the \\\"Show fields in profile\\\" setting is enabled and a CSV with a wp_capabilities column header has been previously imported.\"},{\"lang\":\"es\",\"value\":\"El plugin Importar y exportar usuarios y clientes para WordPress es vulnerable a escalada de privilegios en todas las versiones hasta, e incluyendo, la 1.29.7. Esto se debe a que la funci\u00f3n \u0027save_extra_user_profile_fields\u0027 no restringe adecuadamente qu\u00e9 claves meta de usuario pueden ser actualizadas a trav\u00e9s de los campos de perfil. El m\u00e9todo \u0027get_restricted_fields\u0027 no incluye claves meta sensibles como \u0027wp_capabilities\u0027. Esto hace posible que atacantes no autenticados escalen sus privilegios a Administrador al enviar una solicitud de registro manipulada que establece la clave meta \u0027wp_capabilities\u0027. La vulnerabilidad solo puede ser explotada si la configuraci\u00f3n \\\"Mostrar campos en el perfil\\\" est\u00e1 habilitada y se ha importado previamente un CSV con un encabezado de columna wp_capabilities.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@wordfence.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.2,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security@wordfence.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-269\"}]}],\"references\":[{\"url\":\"https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/tags/1.29.7/classes/columns.php#L193\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/tags/1.29.7/classes/columns.php#L217\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/tags/1.29.7/classes/helper.php#L146\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/changeset/3483330/import-users-from-csv-with-meta#file37\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://www.wordfence.com/threat-intel/vulnerabilities/id/48dd9098-38e6-49da-8d22-27e12fddef51?source=cve\",\"source\":\"security@wordfence.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-3629\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-23T16:13:14.147293Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-23T16:13:18.070Z\"}}], \"cna\": {\"title\": \"Import and export users and customers \u003c= 1.29.7 - Privilege Escalation to Administrator via save_extra_user_profile_fields\", \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Supanat Konprom\"}], \"metrics\": [{\"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 8.1, \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\"}}], \"affected\": [{\"vendor\": \"carazo\", \"product\": \"Import and export users and customers\", \"versions\": [{\"status\": \"affected\", \"version\": \"*\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"1.29.7\"}], \"defaultStatus\": \"unaffected\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2026-03-13T23:17:27.000Z\", \"value\": \"Vendor Notified\"}, {\"lang\": \"en\", \"time\": \"2026-03-21T10:03:40.000Z\", \"value\": \"Disclosed\"}], \"references\": [{\"url\": \"https://www.wordfence.com/threat-intel/vulnerabilities/id/48dd9098-38e6-49da-8d22-27e12fddef51?source=cve\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/tags/1.29.7/classes/columns.php#L193\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/tags/1.29.7/classes/columns.php#L217\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/tags/1.29.7/classes/helper.php#L146\"}, {\"url\": \"https://plugins.trac.wordpress.org/changeset/3483330/import-users-from-csv-with-meta#file37\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"The Import and export users and customers plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.29.7. This is due to the \u0027save_extra_user_profile_fields\u0027 function not properly restricting which user meta keys can be updated via profile fields. The \u0027get_restricted_fields\u0027 method does not include sensitive meta keys such as \u0027wp_capabilities\u0027. This makes it possible for unauthenticated attackers to escalate their privileges to Administrator by submitting a crafted registration request that sets the \u0027wp_capabilities\u0027 meta key. The vulnerability can only be exploited if the \\\"Show fields in profile\\\" setting is enabled and a CSV with a wp_capabilities column header has been previously imported.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-269\", \"description\": \"CWE-269 Improper Privilege Management\"}]}], \"providerMetadata\": {\"orgId\": \"b15e7b5b-3da4-40ae-a43c-f7aa60e62599\", \"shortName\": \"Wordfence\", \"dateUpdated\": \"2026-03-21T22:24:17.648Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-3629\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-23T16:13:28.413Z\", \"dateReserved\": \"2026-03-06T05:47:33.801Z\", \"assignerOrgId\": \"b15e7b5b-3da4-40ae-a43c-f7aa60e62599\", \"datePublished\": \"2026-03-21T22:24:17.648Z\", \"assignerShortName\": \"Wordfence\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.