Unauthenticated Arbitrary User Meta Update Privilege Escalation in Users manager – PN for WordPress
CVE-2026-4003 is a missing-authorization vulnerability in the Users manager – PN WordPress plugin affecting all versions up to and including 1.1.15. The flaw is in the userspn_ajax_nopriv_server() function, specifically the userspn_form_save AJAX action handler. The authorization logic only rejects unauthenticated requests when the supplied user_id is empty; if an attacker provides a non-empty user_id, execution bypasses the intended restriction and proceeds to update arbitrary user metadata through update_user_meta() without proper authentication or authorization checks. The issue is compounded by the plugin exposing the required userspn-nonce to all visitors via wp_localize_script on the public wp_enqueue_scripts hook, which makes the nonce ineffective as a meaningful access control. As a result, an unauthenticated attacker can send a crafted request to modify metadata for arbitrary accounts, including sensitive fields such as userspn_secret_token, creating a direct path to account takeover.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
No public exploits tracked yet. Mallory keeps watching.
No public exploit code observed for this vulnerability.
Recent activity
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A privilege escalation vulnerability in the Users manager – PN plugin for WordPress that allows unauthenticated attackers to update arbitrary user metadata, including sensitive fields, due to flawed authorization logic and exposure of a nonce to all visitors.
An unauthenticated arbitrary user metadata overwrite vulnerability in the Users Manager PN WordPress plugin caused by missing authorization checks and publicly exposed nonce values, enabling full account takeover including administrator accounts.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.