CVE-2026-4003 affects the Users manager – PN plugin for WordPress, where the userspn_ajax_nopriv_server() function improperly authorizes requests. The conditional check only blocks unauthenticated users if the user_id parameter is empty, but if a non-empty user_id is provided, the function bypasses authorization and updates user meta data via update_user_meta() without verifying authentication or authorization. Additionally, the security nonce ('userspn-nonce') is exposed publicly through wp_localize_script on the front-end, rendering the nonce ineffective as a security control. This combination allows unauthenticated attackers to arbitrarily modify user metadata, including sensitive fields such as userspn_secret_token, resulting in privilege escalation.

An unauthenticated attacker can escalate privileges by modifying arbitrary user metadata for any user account in the WordPress site running the vulnerable plugin. This can lead to full account compromise, data integrity loss, and potentially site-wide impact given the high privileges associated with user meta manipulation. The CVSS 3.1 score of 9.8 reflects the critical nature of this vulnerability with network attack vector, no required privileges or user interaction, and high impact on confidentiality, integrity, and availability.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, it is recommended to disable or remove the Users manager – PN plugin to prevent exploitation. Monitor vendor channels for updates or patches addressing this authorization flaw. Do not rely on the nonce as a security control since it is publicly exposed.