Skip to main content

Simple User Avatar

1 CVEs product

Monthly

CVE-2026-57676 MEDIUM This Month

Insecure Direct Object Reference (IDOR) in the Simple User Avatar WordPress plugin through version 4.9 allows authenticated low-privileged users to bypass authorization controls and access avatar-related resources belonging to other users by manipulating user-controlled object keys. The root cause (CWE-639) is the plugin's failure to verify that the requesting user owns or is authorized to access the referenced object. No public exploit code has been identified at time of analysis, and the vulnerability has not been added to CISA KEV, though the low complexity and low privilege requirement (PR:L, AC:L per CVSS) mean any registered WordPress user on an affected site could trivially exploit it.

Authentication Bypass Simple User Avatar
NVD
CVSS 3.1
4.3
EPSS
0.2%
EPSS 0% CVSS 4.3
MEDIUM This Month

Insecure Direct Object Reference (IDOR) in the Simple User Avatar WordPress plugin through version 4.9 allows authenticated low-privileged users to bypass authorization controls and access avatar-related resources belonging to other users by manipulating user-controlled object keys. The root cause (CWE-639) is the plugin's failure to verify that the requesting user owns or is authorized to access the referenced object. No public exploit code has been identified at time of analysis, and the vulnerability has not been added to CISA KEV, though the low complexity and low privilege requirement (PR:L, AC:L per CVSS) mean any registered WordPress user on an affected site could trivially exploit it.

Authentication Bypass Simple User Avatar
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy