CVE-2026-7641

Name of the Vulnerable Software and Affected Versions Import and export users and customers plugin for WordPress versions prior to 2.0.9

Description An issue exists in the save extra user profile fields() function where an incomplete blocklist fails to restrict capability meta keys for subsites in a WordPress Multisite network. While primary site keys like wp capabilities and wp user level are blocked, subsite equivalents such as wp 2 capabilities and wp 2 user level can bypass the in array() check and be written to user meta via update user meta(). Authenticated attackers with Subscriber-level access or higher can escalate their privileges to Administrator on any subsite by submitting a crafted profile update to the "/wp-admin/profile.php" endpoint. This requires an administrator to have previously imported a CSV file with multisite-prefixed capability column headers and enabled the 'Show fields in profile?' option, which exposes these keys as editable fields on the user profile page.

Recommendations Update the plugin to a version later than 2.0.8. As a temporary workaround, disable the 'Show fields in profile?' option to prevent capability keys from being exposed as editable fields on the user profile page.