Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Network-accessible IDOR requiring a valid WordPress account (PR:L); no integrity or availability impact confirmed per description and CVSS signals.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Authorization Bypass Through User-Controlled Key vulnerability in Matteo Manna Simple User Avatar allows Exploiting Incorrectly Configured Access Control Security Levels.
This issue affects Simple User Avatar: from n/a through 4.9.
AnalysisAI
Insecure Direct Object Reference (IDOR) in the Simple User Avatar WordPress plugin through version 4.9 allows authenticated low-privileged users to bypass authorization controls and access avatar-related resources belonging to other users by manipulating user-controlled object keys. The root cause (CWE-639) is the plugin's failure to verify that the requesting user owns or is authorized to access the referenced object. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to hold a valid, authenticated account on the target WordPress site at any role level that can invoke the plugin's avatar endpoint - typically subscriber-level or above (PR:L per the CVSS vector). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 4.3 (Medium) captures the bounded real-world risk well: the attack is network-accessible and low-complexity (AV:N/AC:L), but requires a valid low-privilege account (PR:L), and impact is confined to partial confidentiality loss (C:L) with no integrity or availability consequence (I:N/A:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or authenticates as a low-privilege subscriber on the target WordPress site and issues a request to a Simple User Avatar plugin endpoint, substituting another user's ID or object key for their own in the request parameter. The plugin retrieves and returns the targeted user's avatar resource without performing an ownership check, allowing the attacker to enumerate avatar data across the user base. … |
| Remediation | The primary fix is to update Simple User Avatar to a version beyond 4.9 once a patched release is made available by the developer. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40056
GHSA-9324-w765-4vq2