Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total3
Critical0
High2
Medium1
Reset
Showing 1-3 of 3 records
Threat Entry Updated 2026-05-05

CVE-2026-7641 - Import Users From Csv With Meta Plugin

The Import and export users and customers plugin for WordPress is vulnerable to Privilege Escalation in all versions up to and including 2.0.8 via the `save_extra_user_profile_fields()` function. This is due to an incomplete blocklist that correctly restricts capability meta keys for the primary site (e.g., `wp_capabilities`, `wp_user_level`) but fails to block the equivalent meta keys for any other subsite in a WordPress Multisite network (e.g., `wp_2_capabilities`, `wp_2_user_level`), allowing these keys to pass the `in_array()` check and be written directly to user meta via `update_user_meta()`. This makes it possible for authenticated…

PLUGIN Import Users From Csv With Meta

CVE-2026-7641

HIGH CVSS 8.8 2026-05-02
Open Full Technical Breakdown
Threat Entry Updated 2026-04-24

CVE-2026-3629 - Import Users From Csv With Meta Plugin

The Import and export users and customers plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.29.7. This is due to the 'save_extra_user_profile_fields' function not properly restricting which user meta keys can be updated via profile fields. The 'get_restricted_fields' method does not include sensitive meta keys such as 'wp_capabilities'. This makes it possible for unauthenticated attackers to escalate their privileges to Administrator by submitting a crafted registration request that sets the 'wp_capabilities' meta key. The vulnerability can only be exploited if the "Show fields…

PLUGIN Import Users From Csv With Meta

CVE-2026-3629

HIGH CVSS 8.1 2026-03-21
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-1050 - Import Users From Csv With Meta Plugin

The Import and export users and customers plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_force_reset_password_delete_metas() function in all versions up to, and including, 1.26.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete all forced password resets.

PLUGIN Import Users From Csv With Meta

CVE-2024-1050

MEDIUM CVSS 4.3 2024-05-04
Open Full Technical Breakdown
Scroll to top