Skip to main content

Simple User Avatar EUVDEUVD-2026-40056

| CVE-2026-57676 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-06-29 Patchstack GHSA-9324-w765-4vq2
4.3
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
4.3 MEDIUM

Network-accessible IDOR requiring a valid WordPress account (PR:L); no integrity or availability impact confirmed per description and CVSS signals.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 29, 2026 - 09:20 vuln.today

DescriptionCVE.org

Authorization Bypass Through User-Controlled Key vulnerability in Matteo Manna Simple User Avatar allows Exploiting Incorrectly Configured Access Control Security Levels.

This issue affects Simple User Avatar: from n/a through 4.9.

AnalysisAI

Insecure Direct Object Reference (IDOR) in the Simple User Avatar WordPress plugin through version 4.9 allows authenticated low-privileged users to bypass authorization controls and access avatar-related resources belonging to other users by manipulating user-controlled object keys. The root cause (CWE-639) is the plugin's failure to verify that the requesting user owns or is authorized to access the referenced object. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege WordPress account
Exploit
Send request to avatar endpoint with manipulated user ID
Execution
Plugin skips ownership validation
Impact
Retrieve unauthorized user's avatar data

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold a valid, authenticated account on the target WordPress site at any role level that can invoke the plugin's avatar endpoint - typically subscriber-level or above (PR:L per the CVSS vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 4.3 (Medium) captures the bounded real-world risk well: the attack is network-accessible and low-complexity (AV:N/AC:L), but requires a valid low-privilege account (PR:L), and impact is confined to partial confidentiality loss (C:L) with no integrity or availability consequence (I:N/A:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or authenticates as a low-privilege subscriber on the target WordPress site and issues a request to a Simple User Avatar plugin endpoint, substituting another user's ID or object key for their own in the request parameter. The plugin retrieves and returns the targeted user's avatar resource without performing an ownership check, allowing the attacker to enumerate avatar data across the user base. …
Remediation The primary fix is to update Simple User Avatar to a version beyond 4.9 once a patched release is made available by the developer. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-40056 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy