Unauthenticated AJAX enables Users manager privilege escalation via user meta
TL;DR — An unauthenticated WordPress AJAX endpoint can update arbitrary user metadata, enabling privilege escalation and account-takeover-style outcomes in affected userspn deployments.
What happened
Users manager – PN is a WordPress plugin (slug userspn) that manages user-related functionality via WordPress AJAX handlers.
Wordfence documents a Critical missing-authorization flaw where the plugin’s unauthenticated AJAX handler (userspn_ajax_nopriv_server(), userspn_form_save case) only blocks unauthenticated callers when user_id is empty. If an attacker supplies a non-empty user_id, the request flow can reach update_user_meta() without authentication or authorization verification, enabling arbitrary user meta updates.
Wordfence also notes that the nonce used by the endpoint (userspn-nonce) is exposed to all visitors via wp_localize_script on the public wp_enqueue_scripts hook, making the nonce check ineffective as a security control in this context. Wordfence calls out the ability to update user metadata for any account, including the userspn_secret_token field.
| Item | Source value |
|---|---|
| Affected component | WordPress plugin Users manager – PN (userspn) |
| Affected versions | <= 1.1.15 |
| Patched version (per source) | 1.1.20 |
| Severity | CVSS 3.1 9.8 (Critical) |
| CVSS vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
This is a classic high-impact WordPress failure mode: unauthenticated admin-ajax.php exposure plus missing authorization checks can turn “helper” endpoints into account takeover primitives.
Who is impacted
- WordPress sites running
Users manager – PN(sluguserspn) at versions<= 1.1.15. - Deployments where the plugin’s unauthenticated AJAX path is reachable (typical WordPress configurations expose
admin-ajax.phpto the internet). - Any environment where sensitive authorization decisions depend on user meta values (including plugin-specific secrets/tokens stored as user metadata).
What to do now
- Follow vendor remediation guidance and apply the latest patched release available at the time of writing.
"Remediation Update to version 1.1.20, or a newer patched version"
- Inventory production WordPress instances for the
userspnplugin and confirm the installed version. - Treat this as a potential unauthorized-change exposure:
- review access logs for suspicious spikes in requests to WordPress AJAX endpoints tied to
userspnactions - review for unexpected user meta changes (especially
userspn_secret_tokenand any authorization-relevant meta used in your environment)
- review access logs for suspicious spikes in requests to WordPress AJAX endpoints tied to
- If you cannot patch immediately, reduce blast radius while assessing:
- restrict access to WordPress admin/AJAX surfaces at the network edge where operationally feasible (e.g., allowlists/VPN for administrative paths)
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.