Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
Editor-level authentication required (PR:H); sole impact is image metadata deletion (I:L), with no confidentiality or availability effect.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The UsersWP - Front-end login form, User Registration, User Profile & Members Directory plugin for WP plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.63 via the 'user_id' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with editor-level access and above, to reset and permanently delete the avatar or banner image of any arbitrary user, including administrators, by clearing their avatar_thumb or banner_thumb metadata in the uwp_usermeta table.
AnalysisAI
Insecure Direct Object Reference in the UsersWP WordPress plugin (versions through 1.2.63) allows authenticated editor-level users to permanently delete or reset the avatar and banner images of any WordPress user account, including site administrators, by supplying an arbitrary user_id parameter. The vulnerability lies in missing authorization validation on the user_id key within image management handlers across class-forms.php, class-userswp.php, and class-profile.php, directly manipulating the uwp_usermeta table. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated WordPress session with editor-level privileges or above, as confirmed by PR:H in the CVSS vector. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS 2.7 (Low) score accurately characterizes limited real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a valid WordPress editor account logs into a target site running UsersWP through version 1.2.63. They identify an administrator's numeric user_id (readily available through the WordPress admin interface or public author pages) and submit a crafted request to the UsersWP image reset or delete endpoint supplying the administrator's user_id. … |
| Remediation | An upstream fix has been committed to the AyeCode GitHub repository at https://github.com/AyeCode/userswp/commit/0e69f967578904cc26fadd0206270d50b7420298; however, the specific released patched plugin version number is not independently confirmed from available data - administrators should update to the latest version available in the WordPress plugin repository and verify it includes or supersedes this commit. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37860
GHSA-crv8-pwhc-5w5p