Impact
The UsersWP plugin suffers from an insecure direct object reference that allows any authenticated user with editor privileges or higher to submit the "user_id" parameter and clear the avatar or banner thumbnail for arbitrary users, including site administrators. This change modifies persistent user profile metadata, resulting in loss of information that users expect to remain stable. The primary security impact is an integrity violation, enabling trusted attackers to deface profiles or remove important visual identifiers for any user account.
Affected Systems
WordPress sites running the UsersWP plugin version 1.2.63 or earlier, including all earlier minor releases such as 1.2.61 and 1.2.62, are affected. The vulnerability is present in the core plugin files that handle form submissions and profile management, specifically the functions that process the "user_id" request parameter without validating that the acting user owns or is authorized to modify that target user.
Risk and Exploitability
The CVSS score of 2.7 indicates low overall severity, and the EPSS score of less than 1% shows exploitation probability is very low. The vulnerability is not listed in CISA’s KEV catalog. Because an attacker must first be authenticated with at least editor rights, the attack is limited to privileged users, possibly internal staff or compromised accounts. An exploit would involve submitting a form or URL that sets the "user_id" parameter to another user's ID, which the plugin then processes and clears the avatar_banner metadata without further authorization checks.
OpenCVE Enrichment