Attack Vectors

CVE-2026-3629 is a High severity (CVSS 8.1) privilege-escalation vulnerability affecting the WordPress plugin Import and export users and customers (slug: import-users-from-csv-with-meta) in versions up to and including 1.29.7.

An unauthenticated attacker can submit a crafted registration request that sets sensitive user meta (specifically the wp_capabilities meta key). If successful, this can elevate the attacker’s account privileges to Administrator without needing an existing login.

Security Weakness

The issue is caused by insufficient restrictions on which user meta keys can be updated via profile fields in the plugin’s save_extra_user_profile_fields function. While the plugin uses a get_restricted_fields method intended to block sensitive fields, it does not include critical meta keys such as wp_capabilities.

Remediation: update Import and export users and customers to version 2.0 or newer (a patched release). If you cannot update immediately, prioritize temporarily reducing exposure where possible (for example, limiting public registration workflows) until the patch is deployed.

Technical or Business Impacts

This vulnerability can enable full site takeover. With Administrator access, an attacker can change site settings, create new admin users, and persist access even after passwords are reset.

From a business-risk standpoint, impacts may include unauthorized changes to customer-facing content (brand damage), data exposure, disruption of marketing operations, and potential downstream costs tied to incident response, regulatory/compliance obligations, and loss of customer trust.

Similar Attacks

Privilege-escalation vulnerabilities are a common path to full system or platform takeover. Well-known examples include CVE-2021-3156 (Baron Samedit / sudo privilege escalation), CVE-2021-34527 (PrintNightmare), and CVE-2022-0847 (Dirty Pipe). These illustrate how control over permissions can quickly translate into complete administrative control and high-impact business outcomes.