CVE-2026-12102

June 18, 2026, 8:16 a.m.

2.7
Low

Description

The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.63 via the 'user_id' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with editor-level access and above, to reset and permanently delete the avatar or banner image of any arbitrary user, including administrators, by clearing their avatar_thumb or banner_thumb metadata in the uwp_usermeta table.

Product(s) Impacted

Product Versions

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-639
Authorization Bypass Through User-Controlled Key
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

References

https://github.com/AyeCode/userswp/commit/0e69f967578904cc26fadd0206270d50b7420298
https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.61/includes/class-forms.php#L371
https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.61/includes/class-forms.php#L389
https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.61/includes/class-forms.php#L89
https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.61/includes/class-profile.php#L1739
https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.61/includes/class-userswp.php#L574
https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.63/includes/class-forms.php#L371
https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.63/includes/class-forms.php#L389
https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.63/includes/class-forms.php#L89
https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.63/includes/class-profile.php#L1739
https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.63/includes/class-userswp.php#L574
https://www.wordfence.com/threat-intel/vulnerabilities/id/7115756e-69fa-42fe-bde3-a36e34d4bae3?source=cve

Tags

[email protected]
CWE-639
2026-06-18
CVE-2026-12102

CVSS Score

2.7 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: HIGH
  • Scope: UNCHANGED
  • Confidentiality Impact: NONE
  • Integrity Impact: LOW
  • Availability Impact: NONE

    • CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

    View Vector String

Timeline

Published: June 18, 2026, 8:16 a.m.
Last Modified: June 18, 2026, 8:16 a.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.