CVE-2026-7641: WordPress Import Plugin Privilege Escalation

CVE-2026-7641 Overview

CVE-2026-7641 is a privilege escalation vulnerability in the Import and export users and customers plugin for WordPress, affecting all versions up to and including 2.0.8. The flaw resides in the save_extra_user_profile_fields() function, which uses an incomplete blocklist when filtering capability meta keys on profile updates. The blocklist correctly blocks primary-site keys such as wp_capabilities and wp_user_level but fails to block subsite-prefixed equivalents like wp_2_capabilities and wp_2_user_level. Authenticated users with Subscriber-level access or higher can escalate to Administrator on any subsite within a WordPress Multisite network. The weakness is classified under [CWE-269: Improper Privilege Management].

Critical Impact
A Subscriber-level account can submit a crafted profile update to /wp-admin/profile.php and gain Administrator privileges on any subsite in a Multisite network, leading to full site takeover.

Affected Products

Import and export users and customers plugin for WordPress (all versions through 2.0.8)
WordPress Multisite networks running the affected plugin
Sites where an administrator has imported a CSV containing multisite-prefixed capability column headers with the 'Show fields in profile?' option enabled

Discovery Timeline

2026-05-02 - CVE-2026-7641 published to NVD
2026-05-05 - Last updated in NVD database

Technical Details for CVE-2026-7641

Vulnerability Analysis

The vulnerability stems from an incomplete blocklist in the save_extra_user_profile_fields() function within the plugin's columns.php. When a user submits a profile update, the plugin iterates over fields stored in the acui_columns option and writes them to user meta via update_user_meta(). Before writing, an in_array() check rejects sensitive primary-site capability keys but does not account for WordPress Multisite naming conventions where each subsite uses a numeric prefix in its meta keys.

WordPress stores per-subsite capabilities in keys formatted as wp_<blog_id>_capabilities and wp_<blog_id>_user_level. Because the blocklist only contains the unprefixed primary-site variants, an attacker can supply a key such as wp_2_capabilities with a value of a:1:{s:13:"administrator";b:1;} and have it written directly to user meta. WordPress then treats the attacker as an Administrator on subsite 2.

Root Cause

The root cause is an incomplete denylist that does not enumerate all sensitive meta keys in a Multisite context. The in_array() comparison performs an exact string match against a static list, so any subsite-prefixed capability key bypasses the filter. Combined with direct calls to update_user_meta() without a capability check on the meta key itself, this creates a direct path from low-privileged user input to administrative role assignment.

Attack Vector

Exploitation requires an authenticated session with Subscriber privileges or higher. The attacker submits a crafted POST request to /wp-admin/profile.php containing a multisite-prefixed capability field (for example, wp_2_capabilities) with a serialized array assigning the administrator role. A precondition is that an administrator previously imported a CSV file containing multisite-prefixed capability column headers and enabled the 'Show fields in profile?' option, which causes those keys to be persisted in the acui_columns option and rendered as editable profile fields.

No verified public proof-of-concept code is available. Refer to the Wordfence Vulnerability Analysis and the affected source files in columns.php and helper.php for technical detail.

Detection Methods for CVE-2026-7641

Indicators of Compromise

POST requests to /wp-admin/profile.php containing field names matching the pattern wp_\d+_capabilities or wp_\d+_user_level.
Unexpected entries in the acui_columns WordPress option containing multisite-prefixed capability column headers.
User meta records where a non-Administrator account suddenly has wp_<n>_capabilities set to administrator on a subsite.
New Administrator-level accounts on subsites that did not exist prior to a profile update event.

Detection Strategies

Audit the wp_usermeta table across all subsites for users holding Administrator capabilities who were recently Subscribers, Contributors, or Authors.
Inspect the acui_columns option value for any keys matching the regex ^wp_\d+_(capabilities|user_level)$ and treat their presence as a high-risk configuration.
Review web server access logs for authenticated POST requests to profile.php with bodies containing prefixed capability parameters.
Correlate WordPress role-change events with the originating user account and request source IP to identify self-promotion patterns.

Monitoring Recommendations

Enable WordPress audit logging for role changes and update_user_meta() calls targeting capability keys.
Alert on any modification to the acui_columns option outside of administrator-driven CSV import workflows.
Monitor for privilege transitions where the same authenticated user identifier both initiates and benefits from a role change.

How to Mitigate CVE-2026-7641

Immediate Actions Required

Update the Import and export users and customers plugin to a version newer than 2.0.8 that includes the fix from WordPress Changeset #3515646.
Inspect the acui_columns option and remove any entries matching multisite-prefixed capability keys such as wp_<n>_capabilities or wp_<n>_user_level.
Disable the 'Show fields in profile?' option for any imported columns that map to sensitive meta keys.
Audit all subsites for unauthorized Administrator accounts and revoke elevated privileges from accounts that should not hold them.

Patch Information

The vendor addressed CVE-2026-7641 in the version following 2.0.8 via WordPress Changeset #3515646. The patch extends the blocklist to cover multisite-prefixed capability and user level meta keys so that in_array() checks reject wp_<blog_id>_capabilities and wp_<blog_id>_user_level for every subsite. Administrators running WordPress Multisite must apply the update on every site in the network.

Workarounds

If the plugin cannot be updated immediately, deactivate it on all sites in the Multisite network until a patched version is installed.
Remove all multisite-prefixed capability column entries from the acui_columns option to eliminate the editable profile fields that enable exploitation.
Restrict access to /wp-admin/profile.php for low-privileged roles via a web application firewall rule that blocks request bodies containing parameters matching wp_\d+_(capabilities|user_level).
Temporarily restrict new user registrations to limit the pool of authenticated attackers.

bash

# Example WAF rule (ModSecurity) to block multisite capability key injection on profile updates
SecRule REQUEST_URI "@endsWith /wp-admin/profile.php" \
    "id:1026764101,phase:2,deny,status:403,log,\
    msg:'CVE-2026-7641 multisite capability key injection attempt',\
    chain"
  SecRule ARGS_NAMES "@rx ^wp_[0-9]+_(capabilities|user_level)$" \
    "t:none"

CVE-2026-7641 Overview

Critical Impact
A Subscriber-level account can submit a crafted profile update to /wp-admin/profile.php and gain Administrator privileges on any subsite in a Multisite network, leading to full site takeover.

Affected Products

Import and export users and customers plugin for WordPress (all versions through 2.0.8)
WordPress Multisite networks running the affected plugin
Sites where an administrator has imported a CSV containing multisite-prefixed capability column headers with the 'Show fields in profile?' option enabled

Discovery Timeline

2026-05-02 - CVE-2026-7641 published to NVD
2026-05-05 - Last updated in NVD database

Technical Details for CVE-2026-7641

Vulnerability Analysis

Root Cause

Attack Vector

No verified public proof-of-concept code is available. Refer to the Wordfence Vulnerability Analysis and the affected source files in columns.php and helper.php for technical detail.

Detection Methods for CVE-2026-7641

Indicators of Compromise

POST requests to /wp-admin/profile.php containing field names matching the pattern wp_\d+_capabilities or wp_\d+_user_level.
Unexpected entries in the acui_columns WordPress option containing multisite-prefixed capability column headers.
User meta records where a non-Administrator account suddenly has wp_<n>_capabilities set to administrator on a subsite.
New Administrator-level accounts on subsites that did not exist prior to a profile update event.

Detection Strategies

Audit the wp_usermeta table across all subsites for users holding Administrator capabilities who were recently Subscribers, Contributors, or Authors.
Inspect the acui_columns option value for any keys matching the regex ^wp_\d+_(capabilities|user_level)$ and treat their presence as a high-risk configuration.
Review web server access logs for authenticated POST requests to profile.php with bodies containing prefixed capability parameters.
Correlate WordPress role-change events with the originating user account and request source IP to identify self-promotion patterns.

Monitoring Recommendations

Enable WordPress audit logging for role changes and update_user_meta() calls targeting capability keys.
Alert on any modification to the acui_columns option outside of administrator-driven CSV import workflows.
Monitor for privilege transitions where the same authenticated user identifier both initiates and benefits from a role change.

How to Mitigate CVE-2026-7641

Immediate Actions Required

Update the Import and export users and customers plugin to a version newer than 2.0.8 that includes the fix from WordPress Changeset #3515646.
Inspect the acui_columns option and remove any entries matching multisite-prefixed capability keys such as wp_<n>_capabilities or wp_<n>_user_level.
Disable the 'Show fields in profile?' option for any imported columns that map to sensitive meta keys.
Audit all subsites for unauthorized Administrator accounts and revoke elevated privileges from accounts that should not hold them.

Patch Information

Workarounds

If the plugin cannot be updated immediately, deactivate it on all sites in the Multisite network until a patched version is installed.
Remove all multisite-prefixed capability column entries from the acui_columns option to eliminate the editable profile fields that enable exploitation.
Restrict access to /wp-admin/profile.php for low-privileged roles via a web application firewall rule that blocks request bodies containing parameters matching wp_\d+_(capabilities|user_level).
Temporarily restrict new user registrations to limit the pool of authenticated attackers.

bash

# Example WAF rule (ModSecurity) to block multisite capability key injection on profile updates
SecRule REQUEST_URI "@endsWith /wp-admin/profile.php" \
    "id:1026764101,phase:2,deny,status:403,log,\
    msg:'CVE-2026-7641 multisite capability key injection attempt',\
    chain"
  SecRule ARGS_NAMES "@rx ^wp_[0-9]+_(capabilities|user_level)$" \
    "t:none"

CVE-2026-7641: WordPress Import Plugin Privilege Escalation

CVE-2026-7641 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-7641

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-7641

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-7641

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2026-7641: WordPress Import Plugin Privilege Escalation

CVE-2026-7641 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-7641

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-7641

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-7641

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform