The Users manager – PN plugin for WordPress versions up to 1.1.15 contains a privilege escalation vulnerability that allows unauthenticated attackers to update arbitrary user metadata. The flaw exists in the userspn_ajax_nopriv_server() function where authorization logic only blocks users when user_id is empty, but bypasses checks when a non-empty user_id is provided. Additionally, the security nonce is exposed to all visitors through wp_localize_script, making the nonce check ineffective. Attackers can exploit this to modify any user's metadata, including sensitive fields like userspn_secret_token.