CVE-2026-7641

🗓️ 02 May 2026 04:27:44Reported by WordfenceType

cve🔗 web.nvd.nist.gov📰️ 1 Media mentions👁 17 Views🌐 WEB

Privilege escalation in WordPress multisite plugin up to 2.0.8 via crafted profile updates after CSV import.

Reporter	Title	Published	Views	Family All 10
ATTACKERKB	CVE-2026-7641	2 May 202604:27	–	attackerkb
Circl	CVE-2026-7641	6 May 202616:33	–	circl
CNNVD	WordPress plugin Import and export users and customers 安全漏洞	2 May 202600:00	–	cnnvd
Cvelist	CVE-2026-7641 Import and export users and customers <= 2.0.8 - Authenticated (Subscriber+) Privilege Escalation via Multisite Capability Meta Fields	2 May 202604:27	–	cvelist
EUVD	EUVD-2026-26740	2 May 202604:27	–	euvd
NVD	CVE-2026-7641	2 May 202605:16	–	nvd
Patchstack	WordPress Import and export users and customers plugin <= 2.0.8 - Authenticated (Subscriber+) Privilege Escalation vulnerability	5 May 202609:22	–	patchstack
Positive Technologies	PT-2026-36572	2 May 202600:00	–	ptsecurity
RedhatCVE	CVE-2026-7641	4 May 202620:21	–	redhatcve
Vulnrichment	CVE-2026-7641 Import and export users and customers <= 2.0.8 - Authenticated (Subscriber+) Privilege Escalation via Multisite Capability Meta Fields	2 May 202604:27	–	vulnrichment

Vulners

Node

carazo import_and_export_users_and_customersRange≤2.0.8wordpress

[
  {
    "vendor": "carazo",
    "product": "Import and export users and customers",
    "versions": [
      {
        "version": "0",
        "status": "affected",
        "lessThanOrEqual": "2.0.8",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

Source	Link
plugins	www.plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/trunk/classes/columns.php
plugins	www.plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/tags/2.0.8/classes/columns.php
plugins	www.plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/trunk/classes/helper.php
plugins	www.plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/tags/2.0.8/classes/helper.php
plugins	www.plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/tags/2.0.8/classes/multisite.php
plugins	www.plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/trunk/classes/multisite.php
wordfence	www.wordfence.com/threat-intel/vulnerabilities/id/368cff00-6a86-443e-aec4-4115a229a3c1
plugins	www.plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/trunk/classes/columns.php
plugins	www.plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/tags/2.0.8/classes/columns.php
plugins	www.plugins.trac.wordpress.org/changeset/3515646

Parameter	Position	Path	Description	CWE
wp_2_capabilities	request body	wp-admin/profile.php	Privilege escalation via multisite-prefixed user meta keys written during profile update on WordPress Multisite (e.g., wp_2_capabilities exposing admin privileges).	CWE-269
wp_2_user_level	request body	wp-admin/profile.php	Privilege escalation via multisite-prefixed user meta keys written during profile update on WordPress Multisite (e.g., wp_2_capabilities exposing admin privileges).	CWE-269
wp_capabilities	request body	wp-admin/profile.php	Privilege escalation via multisite-prefixed user meta keys written during profile update on WordPress Multisite (e.g., wp_2_capabilities exposing admin privileges).	CWE-269
wp_user_level	request body	wp-admin/profile.php	Privilege escalation via multisite-prefixed user meta keys written during profile update on WordPress Multisite (e.g., wp_2_capabilities exposing admin privileges).	CWE-269
acui_columns	request body	wp-admin/profile.php	Privilege escalation via multisite-prefixed user meta keys written during profile update on WordPress Multisite (e.g., wp_2_capabilities exposing admin privileges).	CWE-269

17 Jun 2026 11:02Current

5.7Medium risk

Vulners AI Score5.7

CVSS 3.18.8

EPSS0.00476

SSVC

CWE-269