CVE-2026-3629 is a privilege escalation vulnerability in the carazo Import and export users and customers WordPress plugin. The vulnerability arises from improper privilege management (CWE-269) in the 'save_extra_user_profile_fields' function, which fails to restrict updates to sensitive user meta keys such as 'wp_capabilities'. The 'get_restricted_fields' method does not include these sensitive keys, enabling unauthenticated attackers to escalate privileges by submitting crafted registration requests that set the 'wp_capabilities' meta key. Exploitation requires the plugin's "Show fields in profile" setting to be enabled and prior import of a CSV containing a 'wp_capabilities' column header. The CVSS 3.1 base score is 8.1, reflecting high impact on confidentiality, integrity, and availability.

Successful exploitation allows unauthenticated attackers to escalate their privileges to Administrator on affected WordPress sites using the vulnerable plugin. This results in full control over the site, including the ability to modify content, install malicious code, and compromise site integrity and availability. The vulnerability affects all versions up to and including 1.29.7 of the plugin.

No official patch or fix is currently documented for this vulnerability. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, it is recommended to disable the "Show fields in profile" setting and avoid importing CSV files containing the 'wp_capabilities' column header to prevent exploitation. Monitor vendor channels for updates and apply any official patches once released.