Privilege Escalation Vulnerability in Import Users from CSV Plugin for WordPress

CVE-2026-3629

What is CVE-2026-3629?

CVE-2026-3629 is a privilege escalation vulnerability affecting the Import Users from CSV plugin for WordPress, specifically impacting all versions up to and including 1.29.7. This plugin is designed to facilitate the import and export of users and customers in WordPress by allowing the processing of user data from CSV files. The vulnerability arises from a flaw in the 'save_extra_user_profile_fields' function, which inadequately restricts the update of user meta keys. As a consequence, unauthenticated attackers can exploit this weakness to escalate their privileges to that of an Administrator by submitting a specially crafted registration request that includes a 'wp_capabilities' column in the CSV. This situation necessitates that the "Show fields in profile" setting is enabled, and that a suitable CSV file has already been imported.

Potential impact of CVE-2026-3629

1. Unauthorized Administrative Access: Exploitation of this vulnerability potentially allows attackers to gain Administrator-level access to WordPress sites. This can result in full control over the site's functionality and data, enabling malicious activities such as data manipulation, unauthorized content posting, and site takeover.

2. Data Breach and Integrity Compromise: With administrative privileges, an attacker can access sensitive user information, modify or delete data, and compromise the integrity of the website. This can lead to severe repercussions for both the site owner and its users, including loss of trust and reputational damage.

3. Increased Vulnerability to Further Exploits: By obtaining administrative access through this vulnerability, an attacker could install additional malware or backdoors, paving the way for future exploitation. This can lead to an ongoing cycle of compromises, impacting not only the affected site but potentially others in the same network or ecosystem.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

This is an advertDeploy the Patch →

References