CVE-2026-4003 Overview
CVE-2026-4003 is a privilege escalation vulnerability in the Users manager – PN plugin for WordPress, affecting all versions up to and including 1.1.15. The flaw resides in the userspn_ajax_nopriv_server() function within the userspn_form_save case, where an authorization check only blocks unauthenticated requests when user_id is empty. Supplying any non-empty user_id bypasses the check and reaches update_user_meta() without authentication. The accompanying userspn-nonce is exposed publicly through wp_localize_script, neutralizing it as a security control. Unauthenticated attackers can update arbitrary user metadata, including the userspn_secret_token field, on any account.
Critical Impact
Unauthenticated attackers can modify arbitrary user metadata on any WordPress account using the affected plugin, enabling account takeover and privilege escalation to administrator.
Affected Products
- Users manager – PN plugin for WordPress, all versions through 1.1.15
- WordPress sites with the userspn plugin active and reachable via AJAX endpoints
- Any user account on a vulnerable site, including administrator accounts
Discovery Timeline
- 2026-04-08 - CVE-2026-4003 published to NVD
- 2026-04-27 - Last updated in NVD database
Technical Details for CVE-2026-4003
Vulnerability Analysis
The vulnerability is a Missing Authorization flaw classified as [CWE-862]. The userspn_ajax_nopriv_server() handler is registered on the wp_ajax_nopriv_ hook, which serves unauthenticated visitors by design. Inside the userspn_form_save branch, the authorization logic rejects unauthenticated callers only when user_id is empty. Attackers who supply any non-empty user_id value skip the check entirely and reach the update_user_meta() call.
WordPress nonces are intended to mitigate cross-site request forgery and provide a lightweight authorization signal. In this plugin, the userspn-nonce is emitted through wp_localize_script on the public wp_enqueue_scripts hook. Any visitor loading the front-end can read a valid nonce from the page source. The nonce therefore fails to function as a security boundary and does not prevent direct exploitation.
The EPSS score is 0.242% with a percentile of 47.463 as of 2026-05-14.
Root Cause
The root cause is broken authorization logic combined with public exposure of the AJAX nonce. The conditional in userspn_ajax_nopriv_server() treats a non-empty user_id as implicit proof of legitimacy. No capability check, no ownership check, and no authenticated session verification are performed before update_user_meta() writes to the database.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker fetches the public site to harvest the localized userspn-nonce. The attacker then issues a crafted POST request to admin-ajax.php with action=userspn_form_save, a target user_id, and arbitrary meta_key and meta_value parameters. By writing values such as userspn_secret_token for an administrator account, the attacker can pivot to full account takeover through related plugin authentication flows.
No verified proof-of-concept code is published for CVE-2026-4003. Refer to the Wordfence Vulnerability Report and the WordPress Plugin Code Reference for the vulnerable code path.
Detection Methods for CVE-2026-4003
Indicators of Compromise
- POST requests to /wp-admin/admin-ajax.php containing action=userspn_form_save from unauthenticated sessions.
- Unexpected modifications to the wp_usermeta table, especially writes to userspn_secret_token or other plugin-managed meta keys.
- New or escalated administrator accounts whose metadata was recently updated by an unauthenticated request.
- Web server access logs showing the same client IP requesting front-end pages followed by repeated admin-ajax.php calls referencing varying user_id values.
Detection Strategies
- Inspect WordPress audit logs for update_user_meta events tied to AJAX requests lacking an authenticated user context.
- Correlate wp-admin/admin-ajax.php traffic with the userspn_form_save action and flag requests where the requester is not logged in.
- Hunt for tampered usermeta values by diffing the wp_usermeta table against known-good baselines.
Monitoring Recommendations
- Enable verbose logging on admin-ajax.php and forward to a central log store for retention and search.
- Alert on any change to administrator account metadata, password hashes, or plugin-specific token fields.
- Monitor for first-seen IPs issuing requests that include userspn-nonce values harvested from public pages.
How to Mitigate CVE-2026-4003
Immediate Actions Required
- Deactivate and remove the Users manager – PN plugin until a patched release is confirmed installed.
- Audit all user accounts, with priority on administrator and editor roles, for unauthorized metadata changes or unfamiliar tokens.
- Force a password reset and session invalidation for privileged accounts on affected sites.
- Review the wp_usermeta table for suspicious entries created or modified since the plugin was installed.
Patch Information
Review the WordPress Changeset Log and the Wordfence Vulnerability Report for the current fix status. Upgrade to the latest version released after 1.1.15 once it includes a proper capability check in userspn_ajax_nopriv_server() and removes the nonce from the public localized script.
Workarounds
- Block requests to /wp-admin/admin-ajax.php with action=userspn_form_save at the web application firewall (WAF) layer.
- Restrict access to admin-ajax.php from unauthenticated clients using HTTP authentication or IP allowlisting where feasible.
- Disable the plugin entirely on production sites until a fixed version is available.
# Example nginx rule to block exploitation of the vulnerable AJAX action
location = /wp-admin/admin-ajax.php {
if ($arg_action = "userspn_form_save") {
return 403;
}
if ($request_body ~* "action=userspn_form_save") {
return 403;
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
