Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.8
Expire Users plugin for WordPress allows attackers to gain admin access
CVE-2026-4261
Summary
The Expire Users plugin for WordPress is not secure for users with Subscriber-level access and above. This means that attackers can gain full admin access to the website. To stay safe, update to a secure version of the plugin or remove it if you don't need it.
Original title
The Expire Users plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.2.2. This is due to the plugin allowing a user to update the 'on_expire_default_t...
Original description
The Expire Users plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.2.2. This is due to the plugin allowing a user to update the 'on_expire_default_to_role' meta through the 'save_extra_user_profile_fields' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to that of an administrator.
nvd CVSS3.1
8.8
Vulnerability type
CWE-862
Missing Authorization
Published: 21 Mar 2026 · Updated: 21 Mar 2026 · First seen: 21 Mar 2026