Skip to main content

User Management EUVDEUVD-2026-42169

| CVE-2026-12097 MEDIUM
Missing Authorization (CWE-862)
2026-07-08 Wordfence GHSA-fm3p-77j7-xv3w
5.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
5.3 MEDIUM

Unauthenticated network write to plugin option with no confidentiality or availability impact on the direct action; downstream credential exposure is a chained risk, not the base vulnerability's direct impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 08, 2026 - 06:32 vuln.today
CVE Published
Jul 08, 2026 - 05:34 nvd
MEDIUM 5.3

DescriptionCVE.org

The User Management plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to modify the plugin's export field configuration stored in the uiewp_export_field option, controlling which user fields such as password hashes are included in CSV exports and how columns are mapped during imports.

AnalysisAI

Authorization bypass in the User Management WordPress plugin (versions ≤ 1.2) permits unauthenticated network attackers to overwrite the plugin's export field configuration stored in the uiewp_export_field WordPress option, determining which user fields - including password hashes - are bundled into CSV exports and how columns are interpreted during user imports. Reported by Wordfence, the flaw stems from CWE-862 (Missing Authorization), meaning the plugin performs no privilege check before accepting these writes. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Send unauthenticated HTTP request to plugin handler
Delivery
Overwrite uiewp_export_field option with attacker-chosen fields
Exploit
Export config now includes password hash column
Execution
Administrator triggers CSV export
Impact
Password hashes exposed in exported file

Vulnerability AssessmentAI

Exploitation No authentication is required - the CVSS vector PR:N confirms the handler accepts unauthenticated requests. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) captures the direct, unauthenticated, low-complexity nature of the write but scores C:N - which reflects only the immediate action of modifying a configuration option, not the downstream exposure of password hashes that becomes possible once that configuration is set. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker sends a crafted HTTP POST request to the WordPress site targeting the plugin's unguarded configuration handler, setting the uiewp_export_field option to include the user_pass field. When a site administrator later navigates to the plugin's export page and downloads the user CSV - a routine administrative task - the file contains bcrypt-hashed passwords for all registered users, which the attacker can retrieve if they also have read access to the export download URL or can socially engineer the CSV file. …
Remediation No vendor-released patched version has been identified in the available intelligence; version 1.2 is the latest confirmed affected release and no successor tag appears in the referenced Subversion repository. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-42169 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy