[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fWZkrisrS0tMQPGfk3ioaKritA1Qy0JhIL_xz_XsdfkQ":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-3629","import-and-export-users-and-customers-privilege-escalation-to-administrator-via-saveextrauserprofilefields","Import and export users and customers \u003C= 1.29.7 - Privilege Escalation to Administrator via save_extra_user_profile_fields","The Import and export users and customers plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.29.7. This is due to the 'save_extra_user_profile_fields' function not properly restricting which user meta keys can be updated via profile fields. The 'get_restricted_fields' method does not include sensitive meta keys such as 'wp_capabilities'. This makes it possible for unauthenticated attackers to escalate their privileges to Administrator by submitting a crafted registration request that sets the 'wp_capabilities' meta key. The vulnerability can only be exploited if the \"Show fields in profile\" setting is enabled and a CSV with a wp_capabilities column header has been previously imported.","import-users-from-csv-with-meta",null,"\u003C=1.29.7","2.0","high",8.1,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Improper Privilege Management","2026-03-21 10:03:40","2026-03-21 22:24:17",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F48dd9098-38e6-49da-8d22-27e12fddef51?source=api-prod",1,[22,23,24,25,26,27,28,29],"addons\u002Fadvanced-custom-fields.php","addons\u002Fbuddypress.php","addons\u002Fcustomer-area.php","addons\u002Fgroups.php","addons\u002Findeed-ultimate-membership-pro.php","addons\u002Fmailpoet.php","addons\u002Fmelapress-login-security.php","addons\u002Fnew-user-approve.php","researched",false,3,"This research plan outlines the steps required to demonstrate an unauthenticated privilege escalation to Administrator in the \"Import and export users and customers\" plugin.\n\n### 1. Vulnerability Summary\nThe \"Import and export users and customers\" plugin (versions \u003C= 1.29.7) contains a privilege escalation vulnerability. The plugin identifies \"extra\" user meta fields by tracking column headers from previously imported CSV files. When the \"Show fields in profile\" setting is enabled, the plugin's `save_extra_user_profile_fields` function (hooked to `user_register` and `profile_update`) iterates through all `$_POST` data. It updates user meta for any key that matches a \"discovered\" extra field, provided the key is not in a restricted list. \n\nThe vulnerability exists because `get_restricted_fields` (which uses the `acui_restricted_fields` filter) fails to include the sensitive `wp_capabilities` meta key. If an administrator has previously imported a CSV containing a `wp_capabilities` column, an unauthenticated attacker can provide that key during registration to grant themselves the Administrator role.\n\n### 2. Attack Vector Analysis\n- **Endpoint**: `wp-login.php?action=register` (Standard WordPress registration).\n- **HTTP Method**: POST\n- **Parameters**: \n    - `user_login`: The desired username.\n    - `user_email`: The desired email.\n    - `wp_capabilities[administrator]`: Set to `1` to grant the administrator role.\n- **Authentication**: None (Unauthenticated).\n- **Preconditions**:\n    1. WordPress must have registration enabled (`users_can_register`).\n    2. The plugin setting \"Show fields in profile\" (or \"Show fields in registration form\") must be enabled.\n    3. An administrator must have previously imported a CSV with a column header named `wp_capabilities`. This \"registers\" the field in the plugin's allowed list.\n\n### 3. Code Flow\n1. **Entry Point**: `wp-login.php?action=register` calls `register_new_user()`.\n2. **User Creation**: `register_new_user()` calls `wp_insert_user()`.\n3. **Hook Trigger**: `wp_insert_user()` triggers the `user_register` action hook.\n4. **Vulnerable Sink**: The plugin's `save_extra_user_profile_fields($user_id)` function is executed via the `user_register` hook.\n5. **Field Discovery**: The function retrieves a list of allowed extra fields (those discovered during previous CSV imports).\n6. **Bypassed Restriction**: The function calls `get_restricted_fields()` to filter the `$_POST` keys. Since `wp_capabilities` is not in the returned array of restricted fields, it remains in the processing queue.\n7. **Meta Update**: The function calls `update_user_meta( $user_id, 'wp_capabilities', $_POST['wp_capabilities'] )`.\n8. **Role Escalation**: WordPress processes the array `['administrator' => '1']` and serializes it, effectively granting the new user the Administrator role.\n\n### 4. Nonce Acquisition Strategy\nThe exploitation of the `user_register` hook through the standard WordPress registration form does **not** require a WordPress nonce for the `user_register` action itself. \n\nHowever, if the plugin's settings page requires a nonce for configuration (which the agent will need for setup), the agent should:\n1. Navigate to the plugin settings page.\n2. Use `browser_eval` to extract any nonce if needed for administrative actions, or use `wp-cli` to modify options directly to simplify the PoC setup.\n\n### 5. Exploitation Strategy\n\n**Step 1: Environment Setup (via WP-CLI)**\nEnable registration and the required plugin setting.\n```bash\n# Enable user registration\nwp option update users_can_register 1\nwp option update default_role subscriber\n\n# Enable the specific plugin setting (Grounded in plugin option structure)\n# The plugin stores settings in 'acui_settings'\nwp eval '\n$settings = get_option(\"acui_settings\", []);\n$settings[\"show_fields_in_profile\"] = \"yes\";\nupdate_option(\"acui_settings\", $settings);\n'\n```\n\n**Step 2: Seed the Vulnerability (Precondition)**\nImport a CSV with the `wp","The plugin allows unauthenticated privilege escalation to Administrator by improperly handling user meta updates during registration. When the 'Show fields in profile' setting is enabled and a CSV with a 'wp_capabilities' column has been previously imported, the plugin's `save_extra_user_profile_fields` function will update a new user's capabilities based on registration POST data because 'wp_capabilities' is not included in the restricted fields list.","\u002F\u002F The vulnerable logic exists in the main plugin file's save_extra_user_profile_fields function.\n\u002F\u002F It uses get_restricted_fields() which fails to include 'wp_capabilities'.\n\n\u002F* \n   Inferred logic based on research plan and vulnerability description:\n   File: import-users-from-csv-with-meta.php (not provided in source, but core to the vulnerability)\n*\u002F\n\nfunction save_extra_user_profile_fields($user_id) {\n    \u002F\u002F ... \n    $extra_fields = get_option('acui_extra_fields', []);\n    $restricted_fields = $this->get_restricted_fields(); \u002F\u002F wp_capabilities is missing from this list\n\n    foreach ($_POST as $key => $value) {\n        if (in_array($key, $extra_fields) && !in_array($key, $restricted_fields)) {\n            update_user_meta($user_id, $key, $value);\n        }\n    }\n}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fimport-users-from-csv-with-meta\u002F1.29.7\u002Faddons\u002Fadvanced-custom-fields.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fimport-users-from-csv-with-meta\u002F2.0\u002Faddons\u002Fadvanced-custom-fields.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fimport-users-from-csv-with-meta\u002F1.29.7\u002Faddons\u002Fadvanced-custom-fields.php\t2024-08-12 07:48:06.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fimport-users-from-csv-with-meta\u002F2.0\u002Faddons\u002Fadvanced-custom-fields.php\t2026-03-15 23:08:34.000000000 +0000\n@@ -11,7 +11,7 @@\n \t\tadd_filter( 'acui_restricted_fields', array( $this, 'restricted_fields' ), 10, 1 );\n \t\tadd_filter( 'acui_not_meta_fields', array( $this, 'restricted_fields' ), 10, 1 );\n \t\tadd_action( 'acui_documentation_after_plugins_activated', array( $this, 'documentation' ) );\n-\t\tadd_action( 'post_acui_import_single_user', array( $this, 'import' ), 10, 3 );\n+\t\tadd_action( 'acui_post_import_single_user', array( $this, 'import' ), 10, 3 );\n \t\tadd_filter( 'acui_export_columns', array( $this, 'export_columns' ), 10, 1 );\n \t\tadd_filter( 'acui_export_data', array( $this, 'export_data' ), 10, 2 );\n \t}\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fimport-users-from-csv-with-meta\u002F1.29.7\u002Faddons\u002Fbuddypress.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fimport-users-from-csv-with-meta\u002F2.0\u002Faddons\u002Fbuddypress.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fimport-users-from-csv-with-meta\u002F1.29.7\u002Faddons\u002Fbuddypress.php\t2024-08-12 07:48:06.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fimport-users-from-csv-with-meta\u002F2.0\u002Faddons\u002Fbuddypress.php\t2026-03-15 23:08:34.000000000 +0000\n@@ -31,8 +31,8 @@\n \t\tadd_action( 'acui_documentation_after_plugins_activated', array( $this, 'documentation' ) );\n \t\tadd_filter( 'acui_export_columns', array( $this, 'export_columns' ), 10, 1 );\n \t\tadd_filter( 'acui_export_data', array( $this, 'export_data' ), 10, 3 );\n-\t\tadd_action( 'post_acui_import_single_user', array( $this, 'import' ), 10, 10 );\t\n-\t\tadd_action( 'post_acui_import_single_user', array( $this, 'import_avatar' ), 10, 3 );\t\n+\t\tadd_action( 'acui_post_import_single_user', array( $this, 'import' ), 10, 10 );\t\n+\t\tadd_action( 'acui_post_import_single_user', array( $this, 'import_avatar' ), 10, 3 );\t\n \t}","The exploit requires certain preconditions: WordPress must allow user registration, the plugin setting 'Show fields in profile' (or registration form) must be enabled, and an administrator must have previously imported a CSV file containing a column named 'wp_capabilities' (which registers it as a known extra field). An unauthenticated attacker can then perform the following steps: \n1. Navigate to the WordPress registration page (wp-login.php?action=register).\n2. Submit a registration POST request containing standard fields (user_login, user_email).\n3. Include a crafted parameter `wp_capabilities[administrator]=1` in the POST request.\n4. Upon registration, the plugin triggers its `save_extra_user_profile_fields` function, which iterates through POST data, finds the 'wp_capabilities' key, and updates the new user's meta data because it is not restricted, effectively granting the new user the Administrator role.","gemini-3-flash-preview","2026-04-18 00:32:14","2026-04-18 00:33:05",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","1.29.7","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fimport-users-from-csv-with-meta\u002Ftags\u002F1.29.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fimport-users-from-csv-with-meta.1.29.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fimport-users-from-csv-with-meta\u002Ftags\u002F2.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fimport-users-from-csv-with-meta.2.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fimport-users-from-csv-with-meta\u002Ftags"]