CVE-2026-7641
Published: 02 May 2026
Summary
CVE-2026-7641 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 47.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-7641 is a privilege escalation vulnerability in the "Import and export users and customers" plugin for WordPress, affecting all versions up to and including 2.0.8. The issue stems from an incomplete blocklist in the `save_extra_user_profile_fields()` function, which properly restricts capability meta keys for the primary site (such as `wp_capabilities` and `wp_user_level`) but fails to block equivalent keys for subsites in a WordPress Multisite network (e.g., `wp_2_capabilities`, `wp_2_user_level`). This allows these keys to pass the `in_array()` check and be written directly to user meta via `update_user_meta()`. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-269 (Improper Privilege Management).
Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability to escalate their privileges to Administrator on any subsite within a Multisite network. Exploitation involves submitting a crafted profile update to `/wp-admin/profile.php`, but requires prerequisite conditions: an administrator must have previously imported a CSV file containing multisite-prefixed capability column headers, and the 'Show fields in profile?' option must be enabled, storing those keys in the `acui_columns` option and exposing them as editable profile fields.
References provided link to vulnerable code locations in the plugin's source, including lines in `classes/columns.php` (e.g., L198, L221), `classes/helper.php` (L150), `classes/multisite.php` (L21), across tags 2.0.6 and 2.0.8, highlighting the flawed capability checks and meta handling. No specific patch or mitigation details are detailed in the available information.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-26740
Vulnerability details
The Import and export users and customers plugin for WordPress is vulnerable to Privilege Escalation in all versions up to and including 2.0.8 via the `save_extra_user_profile_fields()` function. This is due to an incomplete blocklist that correctly restricts capability meta keys…
more
for the primary site (e.g., `wp_capabilities`, `wp_user_level`) but fails to block the equivalent meta keys for any other subsite in a WordPress Multisite network (e.g., `wp_2_capabilities`, `wp_2_user_level`), allowing these keys to pass the `in_array()` check and be written directly to user meta via `update_user_meta()`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to escalate their privileges to Administrator on any subsite within the Multisite network by submitting a crafted profile update to `/wp-admin/profile.php`. Exploitation requires that an administrator has previously imported a CSV file containing multisite-prefixed capability column headers and has enabled the 'Show fields in profile?' option, which causes those keys to be stored in the `acui_columns` option and exposed as editable fields on the user profile page.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is explicitly a privilege escalation flaw allowing authenticated low-privileged users to modify capability meta keys and gain Administrator access on WordPress Multisite subsites via exploitation of incomplete input validation in the plugin.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation of inputs to the save_extra_user_profile_fields function to reject unauthorized multisite capability meta keys like wp_2_capabilities, directly preventing the privilege escalation via crafted profile updates.
Enforces least privilege to restrict subscriber-level users from modifying or escalating to administrator capabilities on subsites, even through flawed plugin profile editing.
Mandates timely remediation of the identified flaw in the plugin's incomplete blocklist, patching the vulnerability to stop privilege escalation exploitation.