Insecure Direct Object Reference in UsersWP Plugin for WordPress
CVE-2026-12102

2.7LOW

Key Information:

Vendor: WordPress
Status: UsersWP – Front-end Login Form, User Registration, User Profile & Members Directory Plugin For WP
Vendor: CVE Published:; 18 June 2026

What is CVE-2026-12102?

The UsersWP plugin for WordPress is susceptible to an Insecure Direct Object Reference due to inadequate validation of the 'user_id' parameter. This vulnerability permits authenticated attackers with editor-level access or higher to manipulate user metadata, specifically enabling them to reset or permanently delete the avatar and banner images of any user, including those with administrative privileges. Attackers can achieve this by tampering with the avatar_thumb or banner_thumb metadata in the uwp_usermeta database table, posing significant risks to user profiles and site integrity.

Affected Version(s)

UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP 0 <= 1.2.63

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/userswp/tags/1...

CVSS V3.1

Score:

2.7

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 18, 2026
Vulnerability Reserved
Jun 12, 2026

Credit

Pasindu Dilshan

CVE-2026-12102 Data

JSON