Quick Look: CVE-2026-4003 — Unauthenticated Privilege Escalation in WordPress Users Manager PN Plugin

Introduction

A flawed authorization check in the Users Manager PN plugin for WordPress allows completely unauthenticated attackers to overwrite arbitrary user metadata on any account, opening a direct path to full account takeover. With a CVSS score of 9.8 and an exploit that requires nothing more than a single crafted HTTP request, this vulnerability represents a serious risk for any WordPress site running the affected plugin.

The Users Manager PN plugin (slug: "userspn") is a WordPress plugin developed by Padres en la Nube and distributed through the official WordPress plugin repository. It provides user management functionality for WordPress sites. While its exact installation footprint is not publicly documented, its presence in the WordPress.org ecosystem means it is accessible to any WordPress administrator searching for user management solutions.

Technical Information

The vulnerability resides in the userspn_ajax_nopriv_server() function within the file class-userspn-ajax-nopriv.php, specifically in the code path handling the userspn_form_save AJAX action. The classification is CWE-862: Missing Authorization.

Root Cause: Flawed Authorization Conditional

The authorization logic contains a critical flaw in how it evaluates whether a request should be permitted. The conditional check only blocks unauthenticated users when the user_id parameter is empty. When an attacker supplies a non-empty user_id value, execution bypasses this security gate entirely. Once past this check, the function proceeds to call update_user_meta() without performing any authentication or authorization verification on the requesting party.

This means any visitor to the site can issue an AJAX request targeting any user account by ID and modify their metadata fields at will.

Compounding Factor: Public Nonce Exposure

WordPress nonces are intended to serve as a secondary security mechanism, verifying that a request originated from a legitimate context. In this case, the nonce required for the AJAX endpoint (identified as userspn-nonce) is exposed to every site visitor. The plugin registers this nonce via wp_localize_script on the public wp_enqueue_scripts hook, which means it is embedded in the page source for any unauthenticated visitor. This completely negates the nonce as a security control.

The relevant code paths can be examined in the WordPress plugin repository at the following locations:

• Authorization logic: class-userspn-ajax-nopriv.php, line 186
• Bypass path: class-userspn-ajax-nopriv.php, line 190
• Metadata update call: class-userspn-ajax-nopriv.php, line 233
• Nonce exposure: class-userspn-common.php, line 168
• Secret token handling: class-userspn-functions-user.php, line 235

Attack Flow

The exploitation path is straightforward:

1. An unauthenticated attacker visits any page on the target WordPress site where the Users Manager PN plugin enqueues its scripts.
2. The attacker extracts the userspn-nonce value from the page source, where it is embedded by wp_localize_script.
3. The attacker crafts an AJAX request to the userspn_form_save action, supplying a non-empty user_id parameter (for example, the administrator's user ID, which is commonly 1 on WordPress installations).
4. Because the user_id is non-empty, the flawed authorization conditional is bypassed entirely.
5. The nonce check passes because the attacker already obtained the valid nonce from the public page.
6. The function calls update_user_meta() with attacker-controlled field names and values, updating the target user's metadata.
7. By overwriting the userspn_secret_token field (or other sensitive metadata), the attacker can achieve full account takeover of the targeted user, including administrator accounts.

The entire attack requires no prior authentication, no special tooling, and no brute forcing. It is a single, well-formed HTTP request.

Affected Systems and Versions

All versions of the Users Manager PN plugin for WordPress up to and including version 1.1.15 are affected. The vulnerability is present in both the tagged release (1.0.31 is referenced in the source code repository) and the trunk branch. The vendor has indicated that version 1.1.20 addresses this issue.

References

• Wordfence Vulnerability Advisory for CVE-2026-4003
• Source: class-userspn-ajax-nopriv.php (tag 1.0.31, line 186)
• Source: class-userspn-ajax-nopriv.php (tag 1.0.31, line 190)
• Source: class-userspn-ajax-nopriv.php (tag 1.0.31, line 233)
• Source: class-userspn-common.php (tag 1.0.31, line 168)
• Source: class-userspn-functions-user.php (tag 1.0.31, line 235)
• Source: class-userspn-ajax-nopriv.php (trunk, line 186)
• Source: class-userspn-ajax-nopriv.php (trunk, line 190)
• Source: class-userspn-ajax-nopriv.php (trunk, line 233)
• Source: class-userspn-common.php (trunk, line 168)
• Source: class-userspn-functions-user.php (trunk, line 235)
• Plugin Changeset