WordPress Users Manager Plugin Allows Unauthenticated Users to Change User Accounts

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

9.8

WordPress Users Manager Plugin Allows Unauthenticated Users to Change User Accounts

CVE-2026-4003

Summary

The Users Manager plugin for WordPress has a security flaw that allows anyone to change any user's account settings without being logged in. This could be used by hackers to gain access to sensitive user information. Update to the latest version of the plugin to fix this issue.

Original title

Original description

The Users manager – PN plugin for WordPress is vulnerable to Privilege Escalation via Arbitrary User Meta Update in all versions up to and including 1.1.15. This is due to a flawed authorization logic check in the userspn_ajax_nopriv_server() function within the 'userspn_form_save' case. The conditional only blocks unauthenticated users when the user_id is empty, but when a non-empty user_id is supplied, execution bypasses this check entirely and proceeds to update arbitrary user meta via update_user_meta() without any authentication or authorization verification. Additionally, the nonce required for this AJAX endpoint ('userspn-nonce') is exposed to all visitors via wp_localize_script on the public wp_enqueue_scripts hook, rendering the nonce check ineffective as a security control. This makes it possible for unauthenticated attackers to update arbitrary user metadata for any user account, including the userspn_secret_token field.

nvd CVSS3.1 9.8

Vulnerability type

CWE-862 Missing Authorization

Published: 8 Apr 2026 · Updated: 8 Apr 2026 · First seen: 8 Apr 2026