CVE-2026-4261 Meta — Exploit & Vulnerability Details HIGH

CVE-2026-4261

HIGH CVSS 3.1: 8.8 EPSS 0.04%

Parameter	Value
CVSS	8.8 (HIGH)
Type	CWE-862 (Missing Authorization)
Vendor	Meta
Public PoC	No

The Expire Users plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.2.2. This is due to the plugin allowing a user to update the 'on_expire_default_to_role' meta through the 'save_extra_user_profile_fields' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to that of an administrator.

Attack Parameters

Attack Vector

Network

Can be exploited remotely

Attack Complexity

Low

Easy to exploit

Privileges Required

Low

Basic privileges needed

User Interaction

None

No user interaction needed

Impact Assessment

Confidentiality

High

Complete data leak

Integrity

High

Complete data modification

Availability

High

Complete denial of service

CVSS Vector v3.1

Weakness Type (CWE)

CWE-862 Missing Authorization

References 2

https://plugins.trac.wordpress.org/browser/expire-users/tags/1.2.2/admin/expire…

security@wordfence.com

https://www.wordfence.com/threat-intel/vulnerabilities/id/d676700b-8c53-4e09-a6…

security@wordfence.com

Share Post Share Share Share

Related Vulnerabilities

CVE-2026-3629

Meta

8.1

CVE-2026-3474

Meta

4.9

CVE-2026-2352

Meta

6.4

CVE-2026-33143

Meta

8.7

CVE-2025-62845

Meta

5.6

Menu

CVE-2026-4261

Attack Parameters

Impact Assessment

CVSS Vector v3.1

Weakness Type (CWE)

References 2

Related Vulnerabilities

CVE-2026-3629

CVE-2026-3474

CVE-2026-2352

CVE-2026-33143

CVE-2025-62845

CVE Details

Editor's Choice

Menu

CVE-2026-4261

Attack Parameters

Impact Assessment

CVSS Vector v3.1

Weakness Type (CWE)

References 2

Related Vulnerabilities

CVE-2026-3629

CVE-2026-3474

CVE-2026-2352

CVE-2026-33143

CVE-2025-62845

CVE Details

Editor's Choice

Stay informed on cybersecurity