CVE-2026-7641:
A privilege escalation vulnerability in the "Import and export users and customers" WordPress plugin (versions up to and including 2.0.8) allows authenticated attackers with Subscriber-level access to escalate their privileges to Administrator on any subsite within a WordPress Multisite network.
Score
A numerical rating that indicates how dangerous this vulnerability is.
8.8High- Published Date:May 2, 2026
- CISA KEV Date:*No Data*
- Industries Affected:20
Threat Predictions
- EPSS Score:0.0
- EPSS Percentile:7%
Exploitability
- Score:2.8
- Attack Vector:NETWORK
- Attack Complexity:LOW
- Privileges Required:LOW
- User Interaction:NONE
- Scope:UNCHANGED
Impact
- Score:5.9
- Confidentiality Impact:HIGH
- Integrity Impact:HIGH
- Availability Impact:HIGH
Description Preview
A privilege escalation vulnerability in the "Import and export users and customers" WordPress plugin (versions up to and including 2.0.8) allows authenticated attackers with Subscriber-level access to escalate their privileges to Administrator on any subsite within a WordPress Multisite network.
Overview
CVE-2026-7641 is a high-severity privilege escalation vulnerability affecting the "Import and export users and customers" WordPress plugin in all versions up to and including 2.0.8. The flaw stems from an incomplete capability meta key blocklist within the `save_extra_user_profile_fields()` function. While the plugin correctly blocks primary site meta keys such as `wp_capabilities` and `wp_user_level`, it fails to account for subsite-specific equivalents used in WordPress Multisite environments (e.g., `wp_2_capabilities`). This oversight allows these keys to pass the blocklist check and be written to user meta, enabling authenticated attackers with as little as Subscriber-level access to escalate their privileges to Administrator on any subsite in the network. Exploitation is conditional on an administrator having imported a CSV with multisite-prefixed capability headers and having enabled the profile field display option.
Remediation
- Users of the "Import and export users and customers" WordPress plugin should update to a version beyond 2.0.8 that incorporates the fix referenced in changeset 3515646. Site administrators should also review the `acui_columns` option to ensure no sensitive multisite capability meta keys have been stored as editable profile fields. In WordPress Multisite environments, administrators should audit user roles across all subsites for any unauthorized privilege escalations. As a precautionary measure, disabling the "Show fields in profile?" option and restricting CSV imports to trusted administrators can reduce the attack surface until the patch is applied.
References
- 1. https://www.wordfence.com/threat-intel/vulnerabilities/id/368cff00-6a86-443e-aec4-4115a229a3c1?source=cve
- 2. https://plugins.trac.wordpress.org/changeset/3515646
- 3. https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/tags/2.0.8/classes/columns.php#L198
- 4. https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/tags/2.0.8/classes/columns.php#L221
- 5. https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/tags/2.0.8/classes/helper.php#L150
- 6. https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/tags/2.0.8/classes/multisite.php#L21
- 7. https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/trunk/classes/columns.php#L198
- 8. https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/trunk/classes/columns.php#L221
- 9. https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/trunk/classes/helper.php#L150
- 10. https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/trunk/classes/multisite.php#L21
Industries Affected
Below is a list of industries most commonly impacted or potentially at risk based on intelligence.
