CVE-2026-7641— Import and export users and customers <= 2.0.8 - Authenticated (Subscriber+) Privilege Escalation via Multisite Capability Meta Fields
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-7641
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Import and export users and customers <= 2.0.8 - Authenticated (Subscriber+) Privilege Escalation via Multisite Capability Meta Fields
Source: NVD (National Vulnerability Database)
Vulnerability Description
The Import and export users and customers plugin for WordPress is vulnerable to Privilege Escalation in all versions up to and including 2.0.8 via the `save_extra_user_profile_fields()` function. This is due to an incomplete blocklist that correctly restricts capability meta keys for the primary site (e.g., `wp_capabilities`, `wp_user_level`) but fails to block the equivalent meta keys for any other subsite in a WordPress Multisite network (e.g., `wp_2_capabilities`, `wp_2_user_level`), allowing these keys to pass the `in_array()` check and be written directly to user meta via `update_user_meta()`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to escalate their privileges to Administrator on any subsite within the Multisite network by submitting a crafted profile update to `/wp-admin/profile.php`. Exploitation requires that an administrator has previously imported a CSV file containing multisite-prefixed capability column headers and has enabled the 'Show fields in profile?' option, which causes those keys to be stored in the `acui_columns` option and exposed as editable fields on the user profile page.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
特权管理不恰当
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| carazo | Import and export users and customers | 0 ~ 2.0.8 | - |
II. Public POCs for CVE-2026-7641
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-7641
Please Login to view more intelligence information
IV. Related Vulnerabilities
Same product: Import and export users and customers
- CVE-2026-3629
Import and export users and customers <= 1.29.7 - Privilege - CVE-2025-24689
WordPress Import and export users and customers plugin 1.27. - CVE-2024-50413
WordPress Import and export users and customers plugin <= 1. - CVE-2024-38787
WordPress Import and export users and customers plugin <= 1. - CVE-2024-34815
WordPress Import and export users and customers plugin <= 1.
Same vendor: carazo
- CVE-2026-3629
Import and export users and customers <= 1.29.7 - Privilege - CVE-2024-4656
Import and export users and customers <= 1.26.6.1 - Authenti - CVE-2024-4734
Import and export users and customers <= 1.26.6.1 - Authenti - CVE-2024-1050
Import and export users and customers <= 1.26.5 - Missing Au - CVE-2023-6583
Import and export users and customers <= 1.24.2 - Authentica
Same weakness: CWE-269
- CVE-2026-40001
Local privilege escalation vulnerability in ZTE PROCESS Guar - CVE-2026-7778
runZero Platform dashboard configuration exposure - CVE-2025-13618
Mentoring <= 1.2.8 - Unauthenticated Privilege Escalation in - CVE-2026-24072
Apache HTTP Server: mod_rewrite elevation of privileges via - CVE-2026-6389
IBM Turbonomic Prometurbo agent used by IBM Turbonomic Appli
V. Comments for CVE-2026-7641
No comments yet