CVE-2026-3629

Name of the Vulnerable Software and Affected Versions Import and export users and customers plugin for WordPress versions prior to 1.29.8

Description An issue allows unauthenticated attackers to escalate privileges to Administrator by submitting a crafted registration request that sets the wp capabilities meta key. This occurs because the save extra user profile fields() function does not properly restrict which user meta keys can be updated via profile fields, and the get restricted fields() method fails to include sensitive meta keys like wp capabilities. Exploitation is only possible if the "Show fields in profile" setting is enabled and a CSV file containing a wp capabilities column header has been previously imported.

Recommendations Update the plugin to a version later than 1.29.7. As a temporary workaround, disable the "Show fields in profile" setting to minimize the risk of exploitation.