Privilege Escalation Vulnerability in Import Users from CSV Plugin for WordPress

CVE-2026-3629

What is CVE-2026-3629?

The Import Users from CSV with Meta plugin for WordPress contains a vulnerability that allows unauthenticated users to escalate their privileges to that of an Administrator. This is due to the 'save_extra_user_profile_fields' function failing to appropriately restrict which user meta keys can be modified through profile fields. Specifically, the 'get_restricted_fields' method overlooks critical meta keys such as 'wp_capabilities'. If the 'Show fields in profile' option is enabled, an attacker can exploit this flaw by submitting a specially crafted registration request that sets the 'wp_capabilities' meta key, potentially leading to unauthorized administrative access. This issue affects all versions of the plugin up to and including 1.29.7.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch →

References