CVE-2026-4003

CVE-2026-4003 is a privilege escalation vulnerability in the Users manager – PN plugin for WordPress, affecting all versions up to and including 1.1.15. The issue stems from flawed authorization logic in the userspn_ajax_nopriv_server() function, specifically within the 'userspn_form_save' case. This conditional check only blocks unauthenticated users when the user_id is empty, allowing execution to bypass verification entirely for non-empty user_id values and proceed to update arbitrary user meta via update_user_meta() without authentication or authorization. Compounding the problem, the required nonce ('userspn-nonce') for this AJAX endpoint is exposed to all visitors through wp_localize_script on the public wp_enqueue_scripts hook, rendering the nonce check ineffective.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity, requiring no privileges or user interaction. By supplying a non-empty user_id, they can update arbitrary user metadata for any account, including the sensitive userspn_secret_token field, potentially enabling further compromise such as session hijacking or administrative privilege escalation. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is classified under CWE-862 (Missing Authorization).

The provided references point to specific lines in the plugin's source code on the WordPress plugins trac repository for tag 1.0.31, including the vulnerable authorization check in class-userspn-ajax-nopriv.php (lines 186, 190, 233), the update_user_meta call in class-userspn-common.php (line 168), and related user functions in class-userspn-functions-user.php (line 235). No explicit patch or mitigation details are detailed in the available information.