The vulnerability in the 'Import and export users and customers' WordPress plugin stems from an incomplete blocklist in the save_extra_user_profile_fields() function. While capability meta keys for the primary site are correctly restricted, equivalent keys for subsites in a WordPress Multisite network (e.g., wp_2_capabilities) are not blocked. This allows these keys to bypass the in_array() check and be written directly to user meta via update_user_meta(), enabling privilege escalation. Attackers with Subscriber-level access can escalate to Administrator on any subsite by submitting crafted profile updates to /wp-admin/profile.php. Successful exploitation depends on an administrator having previously imported a CSV containing multisite-prefixed capability columns and enabling the 'Show fields in profile?' option, which stores these keys in the acui_columns option and exposes them as editable profile fields.

An authenticated user with Subscriber-level or higher access can escalate their privileges to Administrator on any subsite within a WordPress Multisite network. This leads to full control over the subsite, including the ability to modify content, settings, and user roles, resulting in complete compromise of the affected subsite's integrity, confidentiality, and availability.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, administrators should avoid importing CSV files containing multisite-prefixed capability columns and refrain from enabling the 'Show fields in profile?' option. Additionally, restrict profile editing capabilities to trusted users only and monitor for unusual privilege changes.