CVE-2026-4261
Published: 21 March 2026
Summary
CVE-2026-4261 is a high-severity Missing Authorization (CWE-862) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 15.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations before allowing updates to sensitive user metadata like 'on_expire_default_to_role', directly preventing unauthorized privilege escalation via the plugin's save function.
Implements least privilege to restrict Subscriber-level users from modifying administrator roles or meta fields, mitigating the escalation vulnerability.
Manages user accounts and roles to ensure only authorized personnel can alter role assignments or related metadata, blocking exploitation of the improper update capability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization in save_extra_user_profile_fields allows authenticated role modification (CWE-862), directly enabling T1068 (Exploitation for Privilege Escalation) from subscriber to admin and T1098 (Account Manipulation) via unauthorized user-meta changes.
NVD Description
The Expire Users plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.2.2. This is due to the plugin allowing a user to update the 'on_expire_default_to_role' meta through the 'save_extra_user_profile_fields' function. This makes it…
more
possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to that of an administrator.
Deeper analysisAI
CVE-2026-4261 is a privilege escalation vulnerability in the Expire Users plugin for WordPress, affecting all versions up to and including 1.2.2. The flaw stems from the plugin's 'save_extra_user_profile_fields' function, which improperly allows users to update the 'on_expire_default_to_role' user meta field. This enables unauthorized modification of user roles. Published on 2026-03-21, the vulnerability carries a CVSS 3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is linked to CWE-862 (Missing Authorization).
An authenticated attacker with Subscriber-level access or higher can exploit this vulnerability remotely over the network with low complexity and no user interaction. By manipulating the meta field during profile updates, the attacker can elevate their privileges to administrator level, potentially gaining full control over the WordPress site, including user management, content modification, and plugin configuration.
References include the plugin's source code at line 163 in admin/expire-user.php on the WordPress plugin Trac repository and a Wordfence threat intelligence report detailing the issue. No specific patch or mitigation details are outlined in the provided CVE data.
Details
- CWE(s)