CVE-2026-4003 — AI Deep Analysis Summary

🚨 **Essence**: A critical flaw in 'Users manager – PN' plugin allows unauthorized updates to user metadata. 📉 **Consequences**: Attackers can escalate privileges, leading to full system compromise (High CVSS).

🛡️ **Root Cause**: **CWE-862** (Missing Authorization). The plugin fails to verify user permissions before processing requests.…

👥 **Affected**: WordPress Plugin **Users manager – PN**. 📦 **Version**: **1.1.15 and earlier**. 🏢 **Vendor**: felixmartinez. ⚠️ Any site running this outdated version is at risk.

💀 **Attacker Actions**: Update **arbitrary user metadata** without authentication. 📈 **Impact**: Privilege escalation. An unauthenticated user can become an admin or modify critical data.…

🔓 **Threshold**: **LOW**. 🚫 **Auth**: None required (Unauthenticated). 🖱️ **UI**: None required. 🌍 **Access**: Network (AV:N). This is an easy target for automated bots. 🤖

📜 **Exploit Status**: **No public PoC/Exp** listed in the data. 🕵️ **However**: The CVSS score is **9.8 (Critical)**, implying high exploitability. 🧠 Attackers can likely craft requests based on the CWE-862 description.

🔍 **Self-Check**: Scan for **Users manager – PN** plugin. 📊 **Version Check**: Verify if version is **≤ 1.1.15**.…

🩹 **Fix**: Update the plugin to the latest version. 📅 **Published**: 2026-04-08. 🔗 **Reference**: Check WordPress Trac for changesets fixing the authorization logic in `class-userspn-common.php` and AJAX handlers.

🚧 **No Patch?**: **Disable** the plugin immediately. 🚫 **Action**: Deactivate 'Users manager – PN'. 🔄 **Alternative**: Use a different, secure user management plugin. 🛑 Do not leave it active with known flaws.

🔥 **Urgency**: **CRITICAL**. 🚨 **Priority**: **IMMEDIATE ACTION**. With CVSS 9.8 and no auth required, this is a high-priority patch. ⏳ Delay increases risk of automated exploitation significantly.