Expire Users WordPress Plugin Privilege Escalation Vulnerability

Vulnerability

A privilege escalation vulnerability has been identified in the Expire Users plugin for WordPress, affecting all versions through 1.2.2. The vulnerability arises because the plugin allows users to modify the 'on_expire_default_to_role' meta via the 'save_extra_user_profile_fields' function. This flaw enables authenticated attackers with Subscriber-level access or higher to elevate their privileges to that of an administrator.

Impact

Exploitation of this vulnerability allows authenticated users with Subscriber-level access to gain administrative privileges on the WordPress site.

Added: Mar 21, 2026, 5:00 AM

Updated: Mar 21, 2026, 5:00 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

5.9

remediation

0.0

relevance

4.2

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

5.9

remediation

0.0

relevance

4.2

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Expire Users WordPress Plugin Privilege Escalation Vulnerability

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating