CVE-2026-4003

The Users manager – PN plugin for WordPress is vulnerable to Privilege Escalation via Arbitrary User Meta Update in all versions up to and including 1.1.15. This is due to a flawed authorization logic check in the userspn ajax nopriv server() function within the 'userspn form save' case. The conditional only blocks unauthenticated users when the user id is empty, but when a non-empty user id is supplied, execution bypasses this check entirely and proceeds to update arbitrary user meta via update user meta() without any authentication or authorization verification. Additionally, the nonce required for this AJAX endpoint ('userspn-nonce') is exposed to all visitors via wp localize script on the public wp enqueue scripts hook, rendering the nonce check ineffective as a security control. This makes it possible for unauthenticated attackers to update arbitrary user metadata for any user account, including the userspn secret token field.