Privilege Escalation in Import Users and Customers Plugin for WordPress
CVE-2026-7641

8.8HIGH

Key Information:

Vendor: WordPress
Status: Import And Export Users And Customers
Vendor: CVE Published:; 2 May 2026

What is CVE-2026-7641?

The Import Users and Customers plugin for WordPress contains a vulnerability that allows authenticated attackers with Subscriber-level access or higher to escalate their privileges to an Administrator role on any subsite within a WordPress Multisite network. This occurs due to an incomplete blocklist in the save_extra_user_profile_fields() function, which inadequately restricts certain capability meta keys applicable to subsites. If an administrator has previously imported a CSV file with multisite-prefixed capability headers and enabled the 'Show fields in profile?' option, it leads to exposure of these keys on the user profile page, allowing unauthorized privilege escalation through crafted profile updates.

Affected Version(s)

Import and export users and customers 0 <= 2.0.8

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/import-users-f...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 2, 2026
Vulnerability Reserved
May 1, 2026

Credit

Di Nhau

CVE-2026-7641 Data

JSON