Description
The Users manager – PN plugin for WordPress is vulnerable to Privilege Escalation via Arbitrary User Meta Update in all versions up to and including 1.1.15. This is due to a flawed authorization logic check in the userspn_ajax_nopriv_server() function within the 'userspn_form_save' case. The conditional only blocks unauthenticated users when the user_id is empty, but when a non-empty user_id is supplied, execution bypasses this check entirely and proceeds to update arbitrary user meta via update_user_meta() without any authentication or authorization verification. Additionally, the nonce required for this AJAX endpoint ('userspn-nonce') is exposed to all visitors via wp_localize_script on the public wp_enqueue_scripts hook, rendering the nonce check ineffective as a security control. This makes it possible for unauthenticated attackers to update arbitrary user metadata for any user account, including the userspn_secret_token field.
Published: 2026-04-08
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation: Account Takeover
Action: Immediate Patch
AI Analysis

Impact

The Users manager – PN WordPress plugin allows an attacker who is not logged in to call the AJAX endpoint 'userspn_form_save' and supply a non‑empty user_id. Because the plugin’s authorization logic only blocks requests when user_id is empty, it bypasses the check and updates arbitrary user meta via update_user_meta() even for locked user accounts. The required nonce is publicly exposed, rendering it useless. Attacker can change any meta field, including userspn_secret_token, effectively assuming control of an arbitrary user account.

Affected Systems

This flaw affects all installations of the Users manager – PN plugin by felixmartinez with version 1.1.15 or earlier on any WordPress site that has the plugin activated.

Risk and Exploitability

With a CVSS score of 9.8, this vulnerability is considered critical. The lack of authentication or authorization checks means the attacker can exploit it from any web‑connected device simply by sending a crafted HTTP request to the exposed AJAX endpoint, provided they have the public nonce. The EPSS score is not published, and the issue is not listed in CISA’s KEV catalog, but the ease of exploitation and lack of mitigation make it a high‑risk asset. Adversaries likely would use automated scripts or malicious JS to submit the request and obtain a new token for the target account.

Generated by OpenCVE AI on April 8, 2026 at 05:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Users manager – PN plugin to the newest available version, which removes the flawed authorisation check and properly protects the AJAX endpoint.
  • If an update is not immediately possible, add code to the site or use a security plugin to block the 'userspn_form_save' AJAX action for unauthenticated users, for example by hooking into wp_ajax_nopriv_userspn_form_save and returning an error.
  • Verify that the nonce is no longer exposed publicly by reviewing the wp_localize_script calls on the frontend.
  • After applying the fix, test that non‑registered visitors can no longer modify user meta for existing accounts.
  • Continuously monitor the WordPress security advisories for the plugin and keep all other plugins, themes, and core WordPress updated.

Generated by OpenCVE AI on April 8, 2026 at 05:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Felixmartinez
Felixmartinez users Manager – Pn
Wordpress
Wordpress wordpress
Vendors & Products Felixmartinez
Felixmartinez users Manager – Pn
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 04:30:00 +0000

Type Values Removed Values Added
Description The Users manager – PN plugin for WordPress is vulnerable to Privilege Escalation via Arbitrary User Meta Update in all versions up to and including 1.1.15. This is due to a flawed authorization logic check in the userspn_ajax_nopriv_server() function within the 'userspn_form_save' case. The conditional only blocks unauthenticated users when the user_id is empty, but when a non-empty user_id is supplied, execution bypasses this check entirely and proceeds to update arbitrary user meta via update_user_meta() without any authentication or authorization verification. Additionally, the nonce required for this AJAX endpoint ('userspn-nonce') is exposed to all visitors via wp_localize_script on the public wp_enqueue_scripts hook, rendering the nonce check ineffective as a security control. This makes it possible for unauthenticated attackers to update arbitrary user metadata for any user account, including the userspn_secret_token field.
Title Users manager – PN <= 1.1.15 - Unauthenticated Privilege Escalation via Account Takeover via 'userspn_form_save' AJAX Action
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Felixmartinez Users Manager – Pn
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:42:58.430Z

Reserved: 2026-03-11T18:52:48.888Z

Link: CVE-2026-4003

cve-icon Vulnrichment

Updated: 2026-04-08T14:48:56.116Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T05:16:06.347

Modified: 2026-04-27T19:04:22.650

Link: CVE-2026-4003

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:44:05Z

Weaknesses