Description

The Users manager – PN plugin for WordPress is vulnerable to Privilege Escalation via Arbitrary User Meta Update in all versions up to and including 1.1.15. This is due to a flawed authorization logic check in the userspn_ajax_nopriv_server() function within the 'userspn_form_save' case. The conditional only blocks unauthenticated users when the user_id is empty, but when a non-empty user_id is supplied, execution bypasses this check entirely and proceeds to update arbitrary user meta via update_user_meta() without any authentication or authorization verification. Additionally, the nonce required for this AJAX endpoint ('userspn-nonce') is exposed to all visitors via wp_localize_script on the public wp_enqueue_scripts hook, rendering the nonce check ineffective as a security control. This makes it possible for unauthenticated attackers to update arbitrary user metadata for any user account, including the userspn_secret_token field.

INFO

Published Date :

2026-04-08T03:36:08.200Z

Last Modified :

2026-04-08T16:42:58.430Z

Source :

Wordfence
AFFECTED PRODUCTS

The following products are affected by CVE-2026-4003 vulnerability.

Vendors Products
Felixmartinez
  • Users Manager – Pn
Wordpress
  • Wordpress
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-4003.

URL Resource
https://plugins.trac.wordpress.org/browser/userspn/tags/1.0.31/includes/class-userspn-ajax-nopriv.php#L186 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/userspn/tags/1.0.31/includes/class-userspn-ajax-nopriv.php#L190 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/userspn/tags/1.0.31/includes/class-userspn-ajax-nopriv.php#L233 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/userspn/tags/1.0.31/includes/class-userspn-common.php#L168 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/userspn/tags/1.0.31/includes/class-userspn-functions-user.php#L235 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/userspn/trunk/includes/class-userspn-ajax-nopriv.php#L186 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/userspn/trunk/includes/class-userspn-ajax-nopriv.php#L190 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/userspn/trunk/includes/class-userspn-ajax-nopriv.php#L233 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/userspn/trunk/includes/class-userspn-common.php#L168 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/userspn/trunk/includes/class-userspn-functions-user.php#L235 cve-icon cve-icon
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3491109%40userspn&new=3491109%40userspn&sfp_email=&sfph_mail= cve-icon cve-icon
https://www.wordfence.com/threat-intel/vulnerabilities/id/27bb60c1-43fa-4a18-b9ca-059535b0d5b6?source=cve cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact