Missing authorization in the WordPress WP User Profile Avatar plugin allows an attacker with access to the WordPress web interface to manipulate avatar data that is normally restricted to privileged users. This flaw, documented by CWE‑862, can enable unauthorized modification of avatar images or associated metadata without proper authentication, thereby compromising the integrity of user profiles.

The WP User Profile Avatar plugin, supplied by WP Event Manager, is vulnerable in all releases up to and including version 1.0.6. Site owners should check the installed plugin version and apply updates if they are running a vulnerable release.

The CVSS score of 4.3 indicates a moderate impact, while the EPSS score of less than 1 % suggests exploitation attempts are rare or unlikely. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector involves an attacker exploiting the plugin’s web interface to manipulate avatar data without proper authorization. This could permit them to replace or modify avatar images or associated metadata. No specific exploitation method is detailed in the advisory, so this assessment is derived from the missing authorization flaw.