Cyber Resilience

CVE-2026-7641

High

Published: 02 May 2026

Published
02 May 2026
Modified
05 May 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0066 47.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-7641 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 47.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-7641 is a privilege escalation vulnerability in the "Import and export users and customers" plugin for WordPress, affecting all versions up to and including 2.0.8. The issue stems from an incomplete blocklist in the `save_extra_user_profile_fields()` function, which properly restricts capability meta keys for the primary site (such as `wp_capabilities` and `wp_user_level`) but fails to block equivalent keys for subsites in a WordPress Multisite network (e.g., `wp_2_capabilities`, `wp_2_user_level`). This allows these keys to pass the `in_array()` check and be written directly to user meta via `update_user_meta()`. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-269 (Improper Privilege Management).

Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability to escalate their privileges to Administrator on any subsite within a Multisite network. Exploitation involves submitting a crafted profile update to `/wp-admin/profile.php`, but requires prerequisite conditions: an administrator must have previously imported a CSV file containing multisite-prefixed capability column headers, and the 'Show fields in profile?' option must be enabled, storing those keys in the `acui_columns` option and exposing them as editable profile fields.

References provided link to vulnerable code locations in the plugin's source, including lines in `classes/columns.php` (e.g., L198, L221), `classes/helper.php` (L150), `classes/multisite.php` (L21), across tags 2.0.6 and 2.0.8, highlighting the flawed capability checks and meta handling. No specific patch or mitigation details are detailed in the available information.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The Import and export users and customers plugin for WordPress is vulnerable to Privilege Escalation in all versions up to and including 2.0.8 via the `save_extra_user_profile_fields()` function. This is due to an incomplete blocklist that correctly restricts capability meta keys…

more

for the primary site (e.g., `wp_capabilities`, `wp_user_level`) but fails to block the equivalent meta keys for any other subsite in a WordPress Multisite network (e.g., `wp_2_capabilities`, `wp_2_user_level`), allowing these keys to pass the `in_array()` check and be written directly to user meta via `update_user_meta()`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to escalate their privileges to Administrator on any subsite within the Multisite network by submitting a crafted profile update to `/wp-admin/profile.php`. Exploitation requires that an administrator has previously imported a CSV file containing multisite-prefixed capability column headers and has enabled the 'Show fields in profile?' option, which causes those keys to be stored in the `acui_columns` option and exposed as editable fields on the user profile page.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The vulnerability is explicitly a privilege escalation flaw allowing authenticated low-privileged users to modify capability meta keys and gain Administrator access on WordPress Multisite subsites via exploitation of incomplete input validation in the plugin.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-23896Shared CWE-269
CVE-2025-27639Shared CWE-269
CVE-2025-8899Shared CWE-269
CVE-2025-26705Shared CWE-269
CVE-2015-10139Shared CWE-269
CVE-2026-8972Shared CWE-269
CVE-2025-0893Shared CWE-269
CVE-2026-6769Shared CWE-269
CVE-2025-2858Shared CWE-269
CVE-2025-48613Shared CWE-269

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of inputs to the save_extra_user_profile_fields function to reject unauthorized multisite capability meta keys like wp_2_capabilities, directly preventing the privilege escalation via crafted profile updates.

prevent

Enforces least privilege to restrict subscriber-level users from modifying or escalating to administrator capabilities on subsites, even through flawed plugin profile editing.

prevent

Mandates timely remediation of the identified flaw in the plugin's incomplete blocklist, patching the vulnerability to stop privilege escalation exploitation.

References