Cyber Posture

CVE-2026-4003

CriticalUpdated

Published: 08 April 2026

Published
08 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0024 47.4th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-4003 is a critical-severity Missing Authorization (CWE-862) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 47.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match
prevent

Enforces approved authorizations before allowing updates to user metadata, directly preventing the flawed authorization bypass in the AJAX handler.

AC-6 Least Privilege good match
prevent

Applies least privilege to ensure unauthenticated users cannot perform privileged actions like arbitrary user meta updates, mitigating the privilege escalation.

AC-14 Permitted Actions Without Identification or Authentication good match
prevent

Limits specific actions performable without identification or authentication, prohibiting unauthenticated updates to sensitive user metadata such as the secret token.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
T1098 Account Manipulation Persistence
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.
attack.mitre.org →
Why these techniques?

The vulnerability is an unauthenticated remote exploit in a public-facing WordPress plugin (T1190), classified as privilege escalation (T1068), enabling arbitrary user metadata updates for account manipulation (T1098).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

The Users manager – PN plugin for WordPress is vulnerable to Privilege Escalation via Arbitrary User Meta Update in all versions up to and including 1.1.15. This is due to a flawed authorization logic check in the userspn_ajax_nopriv_server() function within…

more

the 'userspn_form_save' case. The conditional only blocks unauthenticated users when the user_id is empty, but when a non-empty user_id is supplied, execution bypasses this check entirely and proceeds to update arbitrary user meta via update_user_meta() without any authentication or authorization verification. Additionally, the nonce required for this AJAX endpoint ('userspn-nonce') is exposed to all visitors via wp_localize_script on the public wp_enqueue_scripts hook, rendering the nonce check ineffective as a security control. This makes it possible for unauthenticated attackers to update arbitrary user metadata for any user account, including the userspn_secret_token field.

Deeper analysisAI

CVE-2026-4003 is a privilege escalation vulnerability in the Users manager – PN plugin for WordPress, affecting all versions up to and including 1.1.15. The issue stems from flawed authorization logic in the userspn_ajax_nopriv_server() function, specifically within the 'userspn_form_save' case. This conditional check only blocks unauthenticated users when the user_id is empty, allowing execution to bypass verification entirely for non-empty user_id values and proceed to update arbitrary user meta via update_user_meta() without authentication or authorization. Compounding the problem, the required nonce ('userspn-nonce') for this AJAX endpoint is exposed to all visitors through wp_localize_script on the public wp_enqueue_scripts hook, rendering the nonce check ineffective.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity, requiring no privileges or user interaction. By supplying a non-empty user_id, they can update arbitrary user metadata for any account, including the sensitive userspn_secret_token field, potentially enabling further compromise such as session hijacking or administrative privilege escalation. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is classified under CWE-862 (Missing Authorization).

The provided references point to specific lines in the plugin's source code on the WordPress plugins trac repository for tag 1.0.31, including the vulnerable authorization check in class-userspn-ajax-nopriv.php (lines 186, 190, 233), the update_user_meta call in class-userspn-common.php (line 168), and related user functions in class-userspn-functions-user.php (line 235). No explicit patch or mitigation details are detailed in the available information.

Details

CWE(s)
CWE-862

Affected Products

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2024-12129Shared CWE-862
CVE-2025-9054Shared CWE-862
CVE-2026-21743Shared CWE-862
CVE-2025-8898Shared CWE-862
CVE-2024-12876Shared CWE-862
CVE-2026-26368Shared CWE-862
CVE-2025-26378Shared CWE-862
CVE-2026-2941Shared CWE-862
CVE-2025-12963Shared CWE-862
CVE-2025-27583Shared CWE-862

References