Description
The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.63 via the 'user_id' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with editor-level access and above, to reset and permanently delete the avatar or banner image of any arbitrary user, including administrators, by clearing their avatar_thumb or banner_thumb metadata in the uwp_usermeta table.
Published: 2026-06-18
Score: 2.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The UsersWP plugin suffers from an insecure direct object reference that allows any authenticated user with editor privileges or higher to submit the "user_id" parameter and clear the avatar or banner thumbnail for arbitrary users, including site administrators. This change modifies persistent user profile metadata, resulting in loss of information that users expect to remain stable. The primary security impact is an integrity violation, enabling trusted attackers to deface profiles or remove important visual identifiers for any user account.

Affected Systems

WordPress sites running the UsersWP plugin version 1.2.63 or earlier, including all earlier minor releases such as 1.2.61 and 1.2.62, are affected. The vulnerability is present in the core plugin files that handle form submissions and profile management, specifically the functions that process the "user_id" request parameter without validating that the acting user owns or is authorized to modify that target user.

Risk and Exploitability

The CVSS score of 2.7 indicates low overall severity, and the EPSS score of less than 1% shows exploitation probability is very low. The vulnerability is not listed in CISA’s KEV catalog. Because an attacker must first be authenticated with at least editor rights, the attack is limited to privileged users, possibly internal staff or compromised accounts. An exploit would involve submitting a form or URL that sets the "user_id" parameter to another user's ID, which the plugin then processes and clears the avatar_banner metadata without further authorization checks.

Generated by OpenCVE AI on June 18, 2026 at 17:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the UsersWP plugin to the latest patched version that removes the IDOR flaw.
  • Revoke editor and higher role privileges from users who do not require interaction with avatar or banner settings, ensuring only administrators have that capability.
  • Apply a web application firewall rule that blocks or verifies the "user_id" parameter for users without the Administrator role, adding an extra layer of protection against unauthorized metadata manipulation.

Generated by OpenCVE AI on June 18, 2026 at 17:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Stiofansisland
Stiofansisland userswp – Front-end Login Form, User Registration, User Profile & Members Directory Plugin For Wp
Wordpress
Wordpress wordpress
Vendors & Products Stiofansisland
Stiofansisland userswp – Front-end Login Form, User Registration, User Profile & Members Directory Plugin For Wp
Wordpress
Wordpress wordpress

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.63 via the 'user_id' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with editor-level access and above, to reset and permanently delete the avatar or banner image of any arbitrary user, including administrators, by clearing their avatar_thumb or banner_thumb metadata in the uwp_usermeta table.
Title UsersWP <= 1.2.63 - Insecure Direct Object Reference to Authenticated (Editor+) Arbitrary User Avatar/Banner Reset via 'user_id' Parameter
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 2.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Subscriptions

Stiofansisland Userswp – Front-end Login Form, User Registration, User Profile & Members Directory Plugin For Wp
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-18T13:53:27.642Z

Reserved: 2026-06-12T14:27:14.482Z

Link: CVE-2026-12102

cve-icon Vulnrichment

Updated: 2026-06-18T13:21:10.349Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T18:15:02Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key