The vulnerability CVE-2026-3629 affects the 'Import and export users and customers' WordPress plugin developed by carazo, specifically versions up to and including 1.29.7. The root cause is improper privilege management (CWE-269) in the 'save_extra_user_profile_fields' function, which fails to restrict updates to sensitive user meta keys such as 'wp_capabilities'. This meta key controls user roles and capabilities within WordPress, and unauthorized modification can grant administrative privileges. The plugin's 'get_restricted_fields' method does not include 'wp_capabilities' among restricted fields, allowing attackers to manipulate it via profile fields. Exploitation requires two conditions: the plugin's 'Show fields in profile' setting must be enabled, and a CSV file previously imported must contain a 'wp_capabilities' column header. An unauthenticated attacker can then submit a crafted registration request that sets 'wp_capabilities', effectively escalating their privileges to Administrator without authentication or user interaction. The vulnerability has a CVSS 3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting network attack vector, high attack complexity, no privileges or user interaction required, and high impact on confidentiality, integrity, and availability. Although no known exploits are currently in the wild, the vulnerability poses a significant risk to affected WordPress sites, especially those with the vulnerable plugin installed and configured as described.

This vulnerability allows unauthenticated attackers to escalate their privileges to Administrator on WordPress sites using the vulnerable plugin with specific settings enabled. Successful exploitation compromises the confidentiality, integrity, and availability of the affected site. Attackers gaining admin access can fully control the website, including modifying content, installing malicious plugins or backdoors, stealing sensitive data, defacing the site, or using it as a launchpad for further attacks. This can lead to data breaches, reputational damage, loss of customer trust, and potential regulatory penalties. The attack complexity is high due to required configuration conditions, but no authentication or user interaction is needed, increasing risk. Organizations relying on this plugin for user import/export functionality are particularly at risk, especially if they have enabled the 'Show fields in profile' setting and imported CSV files with 'wp_capabilities' columns. The vulnerability affects all versions up to 1.29.7, so sites not updated or patched remain exposed.

1. Immediately disable the 'Show fields in profile' setting in the plugin configuration to prevent exposure of sensitive meta fields. 2. Avoid importing CSV files containing the 'wp_capabilities' column until the vulnerability is addressed. 3. Update the plugin to a patched version once released by the vendor; monitor official channels for patch announcements. 4. Implement Web Application Firewall (WAF) rules to detect and block suspicious registration requests attempting to set 'wp_capabilities' or other sensitive meta keys. 5. Audit user roles and capabilities regularly to detect unauthorized privilege escalations. 6. Restrict access to plugin settings and user profile editing to trusted administrators only. 7. Consider temporarily disabling the plugin if it is not essential to reduce attack surface. 8. Monitor logs for unusual registration activity or profile updates involving meta keys. 9. Educate site administrators about the risk and ensure secure configuration practices. 10. Employ principle of least privilege for all user accounts to limit potential damage from escalations.