Description
The User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.15.5 via the wppb_save_avatar_value() function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to reassign ownership of arbitrary posts and attachments by changing 'post_author'.
Published: 2026-03-31
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Post Ownership Escalation
Action: Patch
AI Analysis

Impact

The User Profile Builder plugin for WordPress is vulnerable to an Insecure Direct Object Reference that allows an authenticated account with subscriber-level or higher privileges to change the post_author attribute of any post or attachment by submitting a crafted avatar value. This flaw enables the attacker to reassign ownership of arbitrary content, effectively escalating privileges within the site and compromising the integrity of posts and media.

Affected Systems

The vulnerability affects the User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin from Cozmos Labs. All releases up to and including version 3.15.5 are impacted. The plugin is distributed as a WordPress plugin.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate severity. Because the flaw is exploitable only by logged‑in users with subscriber access or higher, the surface is larger than an unmapped vulnerability but still requires authenticated credentials. No EPSS data is available and the vulnerability is not listed in the CISA KEV catalog. Attackers would need to make a request to the avatar upload flow, supplying a malicious post_author value; no arbitrary code execution is possible. The risk is practical for sites with many subscribers who can potentially hijack content.

Generated by OpenCVE AI on March 31, 2026 at 12:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the User Profile Builder plugin to the latest version (≥3.15.6).
  • Limit subscriber permissions so that avatar uploads cannot modify post_author values, or disable avatar uploads for non-admin roles.
  • Verify that the post_author field cannot be altered by non-privileged users in the plugin configuration.
  • Monitor site logs for unexpected changes to post_author values and investigate any anomalies.

Generated by OpenCVE AI on March 31, 2026 at 12:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Cozmoslabs
Cozmoslabs user Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor
Wordpress
Wordpress wordpress
Vendors & Products Cozmoslabs
Cozmoslabs user Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor
Wordpress
Wordpress wordpress

Tue, 31 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 11:45:00 +0000

Type Values Removed Values Added
Description The User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.15.5 via the wppb_save_avatar_value() function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to reassign ownership of arbitrary posts and attachments by changing 'post_author'.
Title User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor <= 3.15.5 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Post Author Reassignment via Avatar Field
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Cozmoslabs User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-03-31T15:40:10.227Z

Reserved: 2026-02-24T17:41:54.927Z

Link: CVE-2026-3139

cve-icon Vulnrichment

Updated: 2026-03-31T15:39:43.494Z

cve-icon NVD

Status : Received

Published: 2026-03-31T12:16:31.037

Modified: 2026-03-31T12:16:31.037

Link: CVE-2026-3139

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:38:52Z

Weaknesses