CVE-2026-7641: WordPress Multisite Privilege Escalation Via Plugin

/HIGH /CVSS 8.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severityprivilege-escalationcwe-269
CVE-2026-7641: WordPress Multisite Privilege Escalation Via Plugin

The Import and export users and customers plugin for WordPress, in all versions up to and including 2.0.8, is vulnerable to privilege escalation. The National Vulnerability Database reports this flaw, CVE-2026-7641, stems from an incomplete blocklist within the save_extra_user_profile_fields() function. While the plugin correctly restricts capability meta keys for the primary WordPress site (e.g., wp_capabilities), it fails to block equivalent keys for subsites in a Multisite network (e.g., wp_2_capabilities). This allows these subsite-specific keys to bypass in_array() checks and be written directly to user meta via update_user_meta().

This vulnerability enables authenticated attackers with Subscriber-level access or higher to escalate their privileges to Administrator on any subsite within a WordPress Multisite network. Exploitation requires a crafted profile update submitted to /wp-admin/profile.php. Crucially, an administrator must have previously imported a CSV file containing multisite-prefixed capability column headers and enabled the ‘Show fields in profile?’ option, which exposes these keys as editable fields on the user profile page. The National Vulnerability Database assigns a CVSS score of 8.8 (HIGH) to this flaw.

This isn’t just a coding error; it’s a critical logic bypass in a WordPress Multisite environment. Attackers aren’t guessing credentials; they’re leveraging a fundamental trust failure in how user capabilities are handled across the network. For any organization running WordPress Multisite, this is a glaring hole, turning a low-privileged user into a full administrator on a subsite. The fact that it requires a prior admin action (CSV import) doesn’t negate the risk; many large WordPress deployments rely on such import functionalities for user management.

What This Means For You

  • If your organization uses WordPress Multisite and the 'Import and export users and customers' plugin, you are at high risk. Immediately check if you have any version up to and including 2.0.8. Prioritize patching this vulnerability. Review your `acui_columns` option for any multisite-prefixed capability column headers and audit user profile update logs for suspicious activity, especially on `/wp-admin/profile.php`, if you cannot patch immediately.

Related ATT&CK Techniques

T1078.004 Web Application Privilege Escalation T1548.002 Setuid and Setgid Privilege Escalation T1190 Exploit Public-Facing Application Initial Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-7641: WordPress Multisite Privilege Escalation via Profile Update

Sigma YAML — free preview 
title: CVE-2026-7641: WordPress Multisite Privilege Escalation via Profile Update
id: scw-2026-05-02-ai-1
status: experimental
level: critical
description: |
  Detects attempts to exploit CVE-2026-7641 by targeting the profile update endpoint ('/wp-admin/profile.php') with parameters indicative of privilege escalation attempts, specifically looking for multisite-prefixed capability meta keys like 'wp_2_capabilities' or 'wp_2_user_level' within the query string. This indicates an authenticated user with at least Subscriber privileges attempting to elevate their role on a subsite.
author: SCW Feed Engine (AI-generated)
date: 2026-05-02
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-7641/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/wp-admin/profile.php'
      cs-uri-query|contains:
          - 'wp_capabilities'
          - 'wp_user_level'
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-7641 Privilege Escalation WordPress plugin 'Import and export users and customers' versions <= 2.0.8
CVE-2026-7641 Privilege Escalation Vulnerable function: `save_extra_user_profile_fields()`
CVE-2026-7641 Privilege Escalation Vulnerable endpoint: `/wp-admin/profile.php`
CVE-2026-7641 Privilege Escalation Affected component: WordPress Multisite network, specifically subsite capability meta keys (e.g., `wp_2_capabilities`, `wp_2_user_level`)

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 02, 2026 at 08:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

WordPress Profile Builder Pro: Unauthenticated PHP Object Injection Risks Site Takeover

CVE-2026-7647 — The Profile Builder Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to and including 3.14.5. This is...

vulnerabilityCVEhigh-severityinsecure-deserializationcwe-502
/SCW Vulnerability Desk /HIGH /8.1 /⚑ 3 IOCs /⚙ 6 Sigma

PixelYourSite Pro Plugin SSRF Vulnerability (CVE-2026-7049)

CVE-2026-7049 — The PixelYourSite Pro – Your smart PIXEL (TAG) Manager plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to,...

vulnerabilityCVEhigh-severityserver-side-request-forgerycwe-918
/SCW Vulnerability Desk /HIGH /7.2 /⚑ 4 IOCs /⚙ 3 Sigma

CVE-2026-6916 — Cross-Site Scripting (XSS)

CVE-2026-6916 — The Jeg Kit for Elementor – Powerful Addons for Elementor, Widgets & Templates for WordPress plugin for WordPress is vulnerable to Stored Cross-Site...

vulnerabilityCVEmedium-severitycross-site-scripting-xsscwe-79
/SCW Vulnerability Desk /MEDIUM /6.4 /⚑ 2 IOCs /⚙ 3 Sigma