cleantalk
Vulnerabilities and Security Researches

Import and export users and customers, CVE-2026-3629

CVE, Research URL

CVE-2026-3629

Home page URL

Security reports for Import and export users and customers

Application

Import and export users and customers

Published on
Mar 22, 2026
Research Description
The Import and export users and customers plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.29.7. This is due to the 'save_extra_user_profile_fields' function not properly restricting which user meta keys can be updated via profile fields. The 'get_restricted_fields' method does not include sensitive meta keys such as 'wp_capabilities'. This makes it possible for unauthenticated attackers to escalate their privileges to Administrator by submitting a crafted registration request that sets the 'wp_capabilities' meta key. The vulnerability can only be exploited if the "Show fields in profile" setting is enabled and a CSV with a wp_capabilities column header has been previously imported.
Affected versions
max 2.0.
Status
vulnerable
Previous vulnerability researches
Simple GDPR Cookie Compliance (CVE-2026-24604) , Jan 27, 2026
GDPR Cookie Compliance (CCPA, DSGVO, Cookie Consent) (CVE-2019-25143) , Jun 07, 2024
GDPR Cookie Compliance (CCPA, DSGVO, Cookie Consent) (7d5b4ba83a5c6004460bf267fe534a359e1416b0) , Jun 07, 2024
GDPR Cookie Compliance (CCPA, DSGVO, Cookie Consent) (CVE-2023-4013) , Jun 07, 2024
GDPR Cookie Compliance (CCPA, DSGVO, Cookie Consent) (CVE-2025-1621) , Mar 14, 2025
New vulnerability
Advanced Contact form 7 DB (CVE-2026-0811) , Apr 14, 2026
Advanced Contact form 7 DB (CVE-2026-0814) , Apr 14, 2026
Import any XML or CSV File to WordPress (CVE-2026-2830) , Apr 14, 2026
Visual Link Preview (CVE-2026-39670) , Apr 14, 2026
Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor T (CVE-2025-6229) , Apr 14, 2026