📄 Description (English)
The Import and export users and customers plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.29.7. This is due to the 'save_extra_user_profile_fields' function not properly restricting which user meta keys can be updated via profile fields. The 'get_restricted_fields' method does not include sensitive meta keys such as 'wp_capabilities'. This makes it possible for unauthenticated attackers to escalate their privileges to Administrator by submitting a crafted registration request that sets the 'wp_capabilities' meta key. The vulnerability can only be exploited if the "Show fields in profile" setting is enabled and a CSV with a wp_capabilities column header has been previously imported.
🤖 AI Executive Summary
A critical privilege escalation vulnerability exists in the Import and export users and customers WordPress plugin (versions ≤1.29.7) that allows unauthenticated attackers to escalate to Administrator privileges. The vulnerability exploits improper validation of user meta keys during profile field updates, specifically the 'wp_capabilities' field. Exploitation requires specific preconditions: the 'Show fields in profile' setting enabled and prior import of a CSV containing a wp_capabilities column. This poses significant risk to Saudi organizations using WordPress for government portals, banking services, and e-commerce platforms.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 26, 2026 11:51
🇸🇦 Saudi Arabia Impact Assessment
High impact on Saudi e-government platforms, banking sector websites, and healthcare portals utilizing WordPress. SAMA-regulated financial institutions face critical risk if this plugin is deployed on customer-facing portals. Government agencies under NCA oversight could experience unauthorized administrative access to citizen data systems. Telecom providers (STC, Mobily) and energy sector organizations using WordPress for customer management face data breach and service disruption risks. The vulnerability is particularly dangerous for organizations that have previously imported user data via CSV, as the precondition is likely met in many legacy systems.
🏢 Affected Saudi Sectors
Banking and Financial Services (SAMA-regulated)
Government and Public Administration (NCA-regulated)
Healthcare and Medical Services
Energy and Utilities (ARAMCO, SEC)
Telecommunications (STC, Mobily, Zain)
E-commerce and Retail
Education and Universities
Insurance Services
🎯 MITRE ATT&CK Techniques
T1078 - Valid Accounts
T1078.002 - Valid Accounts: Domain Accounts
T1548 - Abuse Elevation Control Mechanism
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1547 - Boot or Logon Autostart Execution
T1098 - Account Manipulation
T1098.001 - Account Manipulation: Additional Cloud Credentials
T1190 - Exploit Public-Facing Application
T1199 - Trusted Relationship
⚖️ Saudi Risk Score (AI)
8.7
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Audit all WordPress installations for the 'Import and export users and customers' plugin presence and version
2. Disable the plugin immediately if version ≤1.29.7 is detected
3. Review WordPress user database for suspicious 'wp_capabilities' meta key modifications in wp_usermeta table
4. Check access logs for registration requests with wp_capabilities parameters
5. Audit all Administrator accounts for unauthorized creation or privilege changes
PATCHING GUIDANCE:
1. Monitor plugin repository for version 1.29.8+ release
2. Do NOT re-enable plugin until patched version is available and tested
3. If patch becomes available, update immediately after testing in staging environment
COMPENSATING CONTROLS (until patch available):
1. Disable user registration functionality if not critical
2. Disable 'Show fields in profile' setting in plugin configuration
3. Remove any CSV imports containing wp_capabilities column from system
4. Implement Web Application Firewall (WAF) rules to block requests containing 'wp_capabilities' in POST/GET parameters
5. Restrict plugin access via .htaccess or nginx configuration
6. Enable WordPress security plugins with capability monitoring
7. Implement database activity monitoring for wp_usermeta table modifications
DETECTION RULES:
1. Monitor for POST requests to /wp-login.php?action=register containing 'wp_capabilities' parameter
2. Alert on wp_usermeta INSERT/UPDATE operations modifying wp_capabilities for non-admin users
3. Track sudden elevation of user roles from Subscriber/Contributor to Administrator
4. Monitor plugin activation/deactivation logs for suspicious timing
5. Log all CSV imports and flag those containing wp_capabilities column
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تدقيق جميع تثبيتات WordPress للتحقق من وجود مكون 'استيراد وتصدير المستخدمين والعملاء' والإصدار
2. تعطيل المكون فوراً إذا تم اكتشاف الإصدار ≤1.29.7
3. مراجعة قاعدة بيانات WordPress للتحقق من التعديلات المريبة على مفتاح 'wp_capabilities' في جدول wp_usermeta
4. فحص سجلات الوصول لطلبات التسجيل التي تحتوي على معاملات wp_capabilities
5. تدقيق جميع حسابات المسؤول للتحقق من الإنشاء غير المصرح به أو تغييرات الامتيازات
إرشادات التصحيح:
1. مراقبة مستودع المكون لإصدار 1.29.8+ أو أحدث
2. عدم إعادة تفعيل المكون حتى يتوفر الإصدار المصحح ويتم اختباره
3. عند توفر التصحيح، قم بالتحديث فوراً بعد الاختبار في بيئة التطوير
الضوابط البديلة (حتى توفر التصحيح):
1. تعطيل وظيفة تسجيل المستخدمين إذا لم تكن حرجة
2. تعطيل إعداد 'عرض الحقول في الملف الشخصي' في تكوين المكون
3. إزالة أي استيرادات CSV تحتوي على عمود wp_capabilities من النظام
4. تنفيذ قواعد جدار الحماية لتطبيقات الويب لحجب الطلبات التي تحتوي على 'wp_capabilities'
5. تقييد وصول المكون عبر .htaccess أو تكوين nginx
6. تفعيل مكونات أمان WordPress مع مراقبة الامتيازات
7. تنفيذ مراقبة نشاط قاعدة البيانات لتعديلات جدول wp_usermeta
قواعد الكشف:
1. مراقبة طلبات POST إلى /wp-login.php?action=register التي تحتوي على معامل 'wp_capabilities'
2. تنبيه عند عمليات INSERT/UPDATE في wp_usermeta تعدل wp_capabilities للمستخدمين غير الإداريين
3. تتبع الارتفاع المفاجئ لأدوار المستخدمين من Subscriber/Contributor إلى Administrator
4. مراقبة سجلات تفعيل/تعطيل المكون للنشاط المريب
5. تسجيل جميع استيرادات CSV والتنبيه عند وجود عمود wp_capabilities
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
A.5.1.1 - Information security policies and procedures
A.6.1.1 - Authorization and access control
A.6.2.1 - User registration and de-registration
A.7.1.1 - Physical and environmental security
A.8.1.1 - Cryptography and key management
A.9.1.1 - Incident management
A.10.1.1 - Business continuity management
🔵 SAMA CSF
Governance (GV) - GV-RO-01: Risk oversight and management
Governance (GV) - GV-RM-01: Risk management program
Protect (PR) - PR-AC-01: Access control and identity management
Protect (PR) - PR-AC-02: Privileged access management
Detect (DE) - DE-CM-01: Configuration and change management
Respond (RS) - RS-RP-01: Response planning
🟡 ISO 27001:2022
5.15 - Access control
5.16 - Authentication
5.17 - Access rights
5.18 - Information security in supplier relationships
6.5 - Control of changes
8.1 - Information security incident management
8.2 - Improvement of information security incident management
🟣 PCI DSS v4.0.1
Requirement 2.1 - Configuration standards
Requirement 6.2 - Security patches and updates
Requirement 7 - Restrict access to data
Requirement 8 - Identify and authenticate access
Requirement 10 - Track and monitor access
🔗 References & Sources 5
🔗
🔗
🔗
🔗
🔗
https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/tags/1.29.7/...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/tags/1.29.7/...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/tags/1.29.7/...
security@wordfence.com
https://plugins.trac.wordpress.org/changeset/3483330/import-users-from-csv-with-meta#fi...
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/48dd9098-38e6-49da-8d22-27e12...
security@wordfence.com