CVE-2026-4003 | felixmartinez Users manager Plugin up to 1.1.15 on WordPress AJAX Endpoint userspn_ajax_nopriv_server userspn_secret_token authorization
VulDBArchived Apr 08, 2026✓ Full text saved
A vulnerability has been found in felixmartinez Users manager Plugin up to 1.1.15 on WordPress and classified as critical . Impacted is the function userspn_ajax_nopriv_server of the component AJAX Endpoint . The manipulation of the argument userspn_secret_token leads to missing authorization. This vulnerability is traded as CVE-2026-4003 . It is possible to initiate the attack remotely. There is no exploit available. The affected component should be upgraded.
Full text archived locally
✦ AI Summary· Claude Sonnet
VDB-356010 · CVE-2026-4003 · GCVE-0-2026-4003
FELIXMARTINEZ USERS MANAGER PLUGIN UP TO 1.1.15 ON WORDPRESS AJAX ENDPOINT USERSPN_AJAX_NOPRIV_SERVER USERSPN_SECRET_TOKEN AUTHORIZATION
HISTORYDIFFRELATEJSONXMLCTI
CVSS Meta Temp Score Current Exploit Price (≈) CTI Interest Score
8.4 $0-$5k 0.58+
Summaryinfo
A vulnerability was found in felixmartinez Users manager Plugin up to 1.1.15 on WordPress and classified as critical. The affected element is the function userspn_ajax_nopriv_server of the component AJAX Endpoint. The manipulation of the argument userspn_secret_token results in authorization. This vulnerability is known as CVE-2026-4003. It is possible to launch the attack remotely. No exploit is available. It is suggested to upgrade the affected component.
Detailsinfo
A vulnerability was found in felixmartinez Users manager Plugin up to 1.1.15 on WordPress. It has been classified as critical. Affected is the function userspn_ajax_nopriv_server of the component AJAX Endpoint. The manipulation of the argument userspn_secret_token with an unknown input leads to a authorization vulnerability. CWE is classifying the issue as CWE-862. The product does not perform an authorization check when an actor attempts to access a resource or perform an action. This is going to have an impact on confidentiality, integrity, and availability. CVE summarizes:
The Users manager – PN plugin for WordPress is vulnerable to Privilege Escalation via Arbitrary User Meta Update in all versions up to and including 1.1.15. This is due to a flawed authorization logic check in the userspn_ajax_nopriv_server() function within the 'userspn_form_save' case. The conditional only blocks unauthenticated users when the user_id is empty, but when a non-empty user_id is supplied, execution bypasses this check entirely and proceeds to update arbitrary user meta via update_user_meta() without any authentication or authorization verification. Additionally, the nonce required for this AJAX endpoint ('userspn-nonce') is exposed to all visitors via wp_localize_script on the public wp_enqueue_scripts hook, rendering the nonce check ineffective as a security control. This makes it possible for unauthenticated attackers to update arbitrary user metadata for any user account, including the userspn_secret_token field.
The weakness was published by Ha Gia Bao. The advisory is available at wordfence.com. This vulnerability is traded as CVE-2026-4003 since 03/11/2026. The exploitability is told to be easy. It is possible to launch the attack remotely. The exploitation doesn't require any form of authentication. Technical details are known, but there is no available exploit.
Upgrading to version 1.0.31 eliminates this vulnerability.
Productinfo
Type
WordPress Plugin
Vendor
felixmartinez
Name
Users manager Plugin
Version
1.1.0
1.1.1
1.1.2
1.1.3
1.1.4
1.1.5
1.1.6
1.1.7
1.1.8
1.1.9
1.1.10
1.1.11
1.1.12
1.1.13
1.1.14
1.1.15
CPE 2.3info
🔒
🔒
🔒
CPE 2.2info
🔒
🔒
🔒
CVSSv4info
VulDB Vector: 🔒
VulDB Reliability: 🔍
CVSSv3info
VulDB Meta Base Score: 8.5
VulDB Meta Temp Score: 8.4
VulDB Base Score: 7.3
VulDB Temp Score: 7.0
VulDB Vector: 🔒
VulDB Reliability: 🔍
CNA Base Score: 9.8
CNA Vector (Wordfence): 🔒
CVSSv2info
Vector Complexity Authentication Confidentiality Integrity Availability
Unlock Unlock Unlock Unlock Unlock Unlock
Unlock Unlock Unlock Unlock Unlock Unlock
Unlock Unlock Unlock Unlock Unlock Unlock
VulDB Base Score: 🔒
VulDB Temp Score: 🔒
VulDB Reliability: 🔍
Exploitinginfo
Class: Authorization
CWE: CWE-862 / CWE-863 / CWE-285
CAPEC: 🔒
ATT&CK: 🔒
Physical: No
Local: No
Remote: Yes
Availability: 🔒
Status: Not defined
Price Prediction: 🔍
Current Price Estimation: 🔒
0-Day Unlock Unlock Unlock Unlock
Today Unlock Unlock Unlock Unlock
Threat Intelligenceinfo
Interest: 🔍
Active Actors: 🔍
Active APT Groups: 🔍
Countermeasuresinfo
Recommended: Upgrade
Status: 🔍
0-Day Time: 🔒
Upgrade: Users manager Plugin 1.0.31
Timelineinfo
03/11/2026 CVE reserved
04/08/2026 +27 days Advisory disclosed
04/08/2026 +0 days VulDB entry created
04/08/2026 +0 days VulDB entry last update
Sourcesinfo
Advisory: wordfence.com
Researcher: Ha Gia Bao
Status: Confirmed
CVE: CVE-2026-4003 (🔒)
GCVE (CVE): GCVE-0-2026-4003
GCVE (VulDB): GCVE-100-356010
Entryinfo
Created: 04/08/2026 08:01
Changes: 04/08/2026 08:01 (68)
Complete: 🔍
Cache ID: 99:972:101
Discussion
No comments yet. Languages: en.
Please log in to comment.
◂ PreviousOverviewNext ▸