Skip to main content

Userswp Front End Login Form User Registration User Profile Members Directory Plugin For Wp

1 CVEs product

Monthly

CVE-2026-12102 LOW Monitor

Insecure Direct Object Reference in the UsersWP WordPress plugin (versions through 1.2.63) allows authenticated editor-level users to permanently delete or reset the avatar and banner images of any WordPress user account, including site administrators, by supplying an arbitrary user_id parameter. The vulnerability lies in missing authorization validation on the user_id key within image management handlers across class-forms.php, class-userswp.php, and class-profile.php, directly manipulating the uwp_usermeta table. No public exploit has been identified at time of analysis, and real-world severity is constrained by the high-privilege authentication prerequisite.

Authentication Bypass WordPress Userswp Front End Login Form User Registration User Profile Members Directory Plugin For Wp
NVD GitHub VulDB
CVSS 3.1
2.7
EPSS
0.3%
EPSS 0% CVSS 2.7
LOW Monitor

Insecure Direct Object Reference in the UsersWP WordPress plugin (versions through 1.2.63) allows authenticated editor-level users to permanently delete or reset the avatar and banner images of any WordPress user account, including site administrators, by supplying an arbitrary user_id parameter. The vulnerability lies in missing authorization validation on the user_id key within image management handlers across class-forms.php, class-userswp.php, and class-profile.php, directly manipulating the uwp_usermeta table. No public exploit has been identified at time of analysis, and real-world severity is constrained by the high-privilege authentication prerequisite.

Authentication Bypass WordPress Userswp Front End Login Form User Registration User Profile Members Directory Plugin For Wp
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy