What is the authoritative source for CVE-2026-4003?

CVE-2026-4003 (CVE-2026-4003) is catalogued in NVD + CISA KEV + FIRST EPSS and curated for EU compliance use cases by SQUR.

How severe is CVE-2026-4003?

CVE-2026-4003 carries a CRITICAL CVSS 9.8 severity rating.

CVE-2026-4003CRITICAL 9.8EPSS p54.6%

CVE-2026-4003CVE-2026-4003

Description

The Users manager – PN plugin for WordPress is vulnerable to Privilege Escalation via Arbitrary User Meta Update in all versions up to and including 1.1.15. This is due to a flawed authorization logic check in the userspn_ajax_nopriv_server() function within the 'userspn_form_save' case. The conditional only blocks unauthenticated users when the user_id is empty, but when a non-empty user_id is supplied, execution bypasses this check entirely and proceeds to update arbitrary user meta via update_user_meta() without any authentication or authorization verification. Additionally, the nonce required for this AJAX endpoint ('userspn-nonce') is exposed to all visitors via wp_localize_script on the public wp_enqueue_scripts hook, rendering the nonce check ineffective as a security control. This makes it possible for unauthenticated attackers to update arbitrary user metadata for any user account, including the userspn_secret_token field.

Scoring

CVSS 3.1	9.8 (CRITICAL)
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS	0.89% probability of exploitation · percentile 54.6% · 2026-06-18T12:00:27Z
Published	2026-04-08
Last modified	2026-04-27