PT-2026-26880 · WordPress · Expire Users

Hunter Jensen

Published

2026-03-21

Updated

2026-03-22

CVE-2026-4261

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Expire Users plugin for WordPress versions through 1.2.2

Description The Expire Users plugin for WordPress is susceptible to a privilege escalation issue. This occurs because the plugin permits a user to modify the on expire default to role meta data through the save extra user profile fields function. Authenticated attackers possessing Subscriber-level access or higher can exploit this to elevate their privileges to administrator level.

Recommendations Versions prior to and including 1.2.2 should be updated to a newer, fixed version when available.

Fix

LPE

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862

Related Identifiers

CVE-2026-4261

Affected Products

Expire Users

PT-2026-26880 · WordPress · Expire Users

CVE-2026-4261

Weakness Enumeration

Related Identifiers

Affected Products

References · 8