Description
Authorization Bypass Through User-Controlled Key vulnerability in Matteo Manna Simple User Avatar allows Exploiting Incorrectly Configured Access Control Security Levels.

This issue affects Simple User Avatar: from n/a through 4.9.
Published: 2026-06-29
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an Insecure Direct Object Reference (IDOR) that allows a user to manipulate a user‑controlled key to bypass authorization checks. Attackers can retrieve or modify avatar data belonging to other users by supplying a different user identifier in the request. This can expose private avatar information and alter data integrity, causing unauthorized disclosure or modification of user resources.

Affected Systems

The flaw affects the WordPress Simple User Avatar plugin provided by Matteo Manna, specifically all releases up to and including version 4.9. The affected range is indicated as n/a through 4.9, meaning any installed instance of the plugin in that version window is vulnerable. The product is commonly integrated into WordPress installations that handle user avatars.

Risk and Exploitability

The CVSS score of 4.3 suggests a low‑to‑moderate severity, and the EPSS score is currently unavailable, so the likelihood of widespread exploitation cannot be determined from the data. The vulnerability is not listed in CISA KEV, implying no known public exploit at the time of reporting. The likely attack vector is remote and opportunistic, using the plugin’s web interface or API endpoints to supply the manipulated key. The attacker would need access to the site and the ability to send crafted requests, but no additional privileges are required beyond a normal authenticated session.

Generated by OpenCVE AI on June 29, 2026 at 09:20 UTC.

Remediation

Vendor Solution

Update the WordPress Simple User Avatar Plugin to the latest available version (at least 5.0).

OpenCVE Recommended Actions

  • Update the Simple User Avatar plugin to version 5.0 or later, which removes the IDOR flaw.
  • Verify that avatar management endpoints validate the requestor’s identity against the target avatar, ensuring that only the owner can view or edit their own avatar, thereby fixing the CWE‑639 access‑control weakness.
  • If an upgrade cannot be performed immediately, temporarily disable or uninstall the Simple User Avatar plugin until a patched version is available.

Generated by OpenCVE AI on June 29, 2026 at 09:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Matteo Manna
Matteo Manna simple User Avatar
Wordpress
Wordpress wordpress
Vendors & Products Matteo Manna
Matteo Manna simple User Avatar
Wordpress
Wordpress wordpress

Mon, 29 Jun 2026 08:45:00 +0000

Type Values Removed Values Added
Description Authorization Bypass Through User-Controlled Key vulnerability in Matteo Manna Simple User Avatar allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Simple User Avatar: from n/a through 4.9.
Title WordPress Simple User Avatar plugin <= 4.9 - Insecure Direct Object References (IDOR) vulnerability
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Matteo Manna Simple User Avatar
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-29T08:19:51.896Z

Reserved: 2026-06-25T08:03:37.652Z

Link: CVE-2026-57676

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T20:05:29Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key