{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/import-and-export-users-and-customers-plugin/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-7641"}],"_cs_exploited":false,"_cs_products":["Import and export users and customers plugin"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","wordpress","cloud"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Import and export users and customers plugin for WordPress, a plugin used to manage user data, is vulnerable to privilege escalation. This vulnerability, identified as CVE-2026-7641, affects all versions of the plugin up to and including 2.0.8. The vulnerability stems from an incomplete blocklist in the \u003ccode\u003esave_extra_user_profile_fields()\u003c/code\u003e function. This function fails to adequately filter meta keys for subsites within a WordPress Multisite network, allowing attackers to manipulate user roles. Successful exploitation allows authenticated attackers with Subscriber-level access or higher to escalate their privileges to Administrator on any subsite within the Multisite network. Exploitation requires the targeted WordPress instance to be part of a Multisite network and have specific settings enabled.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn administrator imports a CSV file containing multisite-prefixed capability column headers (e.g., \u003ccode\u003ewp_2_capabilities\u003c/code\u003e) using the affected plugin.\u003c/li\u003e\n\u003cli\u003eThe administrator enables the \u0026ldquo;Show fields in profile?\u0026rdquo; option within the plugin settings. This action stores the imported column headers (including the multisite capabilities) in the \u003ccode\u003eacui_columns\u003c/code\u003e option.\u003c/li\u003e\n\u003cli\u003eA low-privileged user (e.g., Subscriber) authenticates to the WordPress subsite.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to their user profile page (\u003ccode\u003e/wp-admin/profile.php\u003c/code\u003e). The plugin displays the previously imported multisite capability fields as editable options on the profile page.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a profile update request, setting the value of the \u003ccode\u003ewp_{subsite_id}_capabilities\u003c/code\u003e meta key to \u003ccode\u003ea:1:{s:13:\u0026quot;administrator\u0026quot;;b:1;}\u003c/code\u003e which grants administrator privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker submits the crafted profile update to \u003ccode\u003e/wp-admin/profile.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esave_extra_user_profile_fields()\u003c/code\u003e function processes the update. Due to the incomplete blocklist, the function fails to prevent the modification of the \u003ccode\u003ewp_{subsite_id}_capabilities\u003c/code\u003e meta key.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eupdate_user_meta()\u003c/code\u003e function writes the attacker-controlled value directly to the user\u0026rsquo;s metadata, granting them Administrator privileges on the specified subsite.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7641 allows an attacker to gain complete control over a WordPress subsite within a Multisite network. This can lead to unauthorized access to sensitive data, modification of website content, installation of malicious plugins or themes, and potential compromise of the entire Multisite network. Given the widespread use of WordPress and the Import and export users and customers plugin, a successful attack can have significant repercussions for affected organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Import and export users and customers plugin to the latest version to patch CVE-2026-7641.\u003c/li\u003e\n\u003cli\u003eApply the Sigma rule \u003ccode\u003eWordPress Multisite Privilege Escalation via Profile Update\u003c/code\u003e to detect exploitation attempts against \u003ccode\u003e/wp-admin/profile.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eReview the \u003ccode\u003eacui_columns\u003c/code\u003e option in the WordPress database to identify any instances where multisite-prefixed capability column headers have been imported, and remove those fields.\u003c/li\u003e\n\u003cli\u003eMonitor WordPress user profile updates for unusual modifications to user capabilities using the \u003ccode\u003eWordPress User Role Change Detection\u003c/code\u003e rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T05:16:01Z","date_published":"2026-05-02T05:16:01Z","id":"/briefs/2026-05-wordpress-privesc/","summary":"A privilege escalation vulnerability exists in the Import and export users and customers plugin for WordPress (versions \u003c= 2.0.8) due to an incomplete blocklist allowing authenticated users to gain administrator privileges on subsites within a Multisite network.","title":"WordPress Import and Export Users Plugin Privilege Escalation Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-wordpress-privesc/"}],"language":"en","title":"CraftedSignal Threat Feed — Import and Export Users and Customers Plugin","version":"https://jsonfeed.org/version/1.1"}