Skip to main content

UsersWP CVE-2026-12102

| EUVDEUVD-2026-37860 LOW
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-06-18 Wordfence GHSA-crv8-pwhc-5w5p
2.7
CVSS 3.1 · Vendor: Wordfence

Severity by source

Vendor (Wordfence) PRIMARY
2.7 LOW
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
2.7 LOW

Editor-level authentication required (PR:H); sole impact is image metadata deletion (I:L), with no confidentiality or availability effect.

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 18, 2026 - 08:06 vuln.today
Analysis Generated
Jun 18, 2026 - 08:06 vuln.today

DescriptionCVE.org

The UsersWP - Front-end login form, User Registration, User Profile & Members Directory plugin for WP plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.63 via the 'user_id' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with editor-level access and above, to reset and permanently delete the avatar or banner image of any arbitrary user, including administrators, by clearing their avatar_thumb or banner_thumb metadata in the uwp_usermeta table.

AnalysisAI

Insecure Direct Object Reference in the UsersWP WordPress plugin (versions through 1.2.63) allows authenticated editor-level users to permanently delete or reset the avatar and banner images of any WordPress user account, including site administrators, by supplying an arbitrary user_id parameter. The vulnerability lies in missing authorization validation on the user_id key within image management handlers across class-forms.php, class-userswp.php, and class-profile.php, directly manipulating the uwp_usermeta table. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain editor-level WordPress credentials
Delivery
Enumerate target administrator's user_id
Exploit
Craft POST request with arbitrary user_id to UsersWP image reset endpoint
Execution
Plugin skips authorization check on user_id key
Persist
Clear avatar_thumb and banner_thumb in uwp_usermeta
Impact
Target user's profile images permanently deleted

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress session with editor-level privileges or above, as confirmed by PR:H in the CVSS vector. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS 2.7 (Low) score accurately characterizes limited real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a valid WordPress editor account logs into a target site running UsersWP through version 1.2.63. They identify an administrator's numeric user_id (readily available through the WordPress admin interface or public author pages) and submit a crafted request to the UsersWP image reset or delete endpoint supplying the administrator's user_id. …
Remediation An upstream fix has been committed to the AyeCode GitHub repository at https://github.com/AyeCode/userswp/commit/0e69f967578904cc26fadd0206270d50b7420298; however, the specific released patched plugin version number is not independently confirmed from available data - administrators should update to the latest version available in the WordPress plugin repository and verify it includes or supersedes this commit. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12102 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy