CVE-2026-12102 Overview
CVE-2026-12102 is an Insecure Direct Object Reference (IDOR) vulnerability in the UsersWP WordPress plugin, which provides front-end login forms, user registration, user profiles, and a members directory. The flaw affects all versions of UsersWP up to and including 1.2.63. It originates from missing validation on a user-controlled user_id parameter in the avatar and banner reset flow. Authenticated attackers with editor-level access or above can reset and permanently delete the avatar or banner image of any user, including administrators, by clearing avatar_thumb or banner_thumb metadata in the uwp_usermeta table.
Critical Impact
Editor-level attackers can permanently delete avatar and banner images of arbitrary WordPress users, including administrators, by abusing the unvalidated user_id parameter.
Affected Products
- UsersWP plugin for WordPress, versions up to and including 1.2.63
- WordPress sites using UsersWP front-end login form, user registration, user profile, and members directory functionality
- Sites where editor-level or higher accounts are issued to untrusted users
Discovery Timeline
- 2026-06-18 - CVE-2026-12102 published to NVD
- 2026-06-18 - Last updated in NVD database
Technical Details for CVE-2026-12102
Vulnerability Analysis
The vulnerability is classified as Insecure Direct Object Reference [CWE-639]. The UsersWP plugin exposes avatar and banner reset functionality through class-forms.php and class-profile.php. The code paths accept a user_id parameter from the request and act on the matching record in the uwp_usermeta table without verifying that the requesting user is authorized to modify that target. An authenticated user with the editor capability set can submit a crafted request that resets the avatar_thumb or banner_thumb metadata for any user ID, including administrator accounts. The result is permanent deletion of the targeted profile imagery.
Root Cause
The root cause is missing authorization validation on a user-controlled key. The pre-patch logic in class-forms.php accepted any numeric user_id from $_GET while in the admin context, without checking the acting user's capability against the target user. The nonce was also scoped only by $type, not by the target user ID, allowing reuse across arbitrary user identifiers.
Attack Vector
Exploitation requires an authenticated session at editor level or above. The attacker issues a request to the avatar or banner reset endpoint, supplies the victim's numeric user_id, and includes a valid uwp_reset_nonce. The server processes the request and clears the corresponding metadata entries in uwp_usermeta, removing the victim's avatar or banner.
// Pre-patch logic in includes/class-forms.php (vulnerable)
if ( empty( $_POST['uwp_reset_nonce'] ) || ! wp_verify_nonce( $_POST['uwp_reset_nonce'], 'uwp_reset_nonce_' . $type ) ) {
return;
}
if ( is_admin() && defined( 'IS_PROFILE_PAGE' ) && IS_PROFILE_PAGE ) {
$user_id = get_current_user_id();
} elseif ( is_admin() && ! empty( $_GET['user_id'] ) && is_numeric( $_GET['user_id'] ) ) {
// No capability check - any admin-area user can target another user_id
$user_id = absint( $_GET['user_id'] );
} else {
$user_id = get_current_user_id();
}
Source: GitHub Commit 0e69f96
Detection Methods for CVE-2026-12102
Indicators of Compromise
- Unexpected removal of administrator or high-privilege user avatars or banners in the UsersWP front-end and members directory
- Rows missing avatar_thumb or banner_thumb entries in the uwp_usermeta table for users who previously had images set
- WordPress access logs showing requests to UsersWP profile or form endpoints carrying a user_id query parameter that does not match the requester's own user ID
- Editor-role accounts submitting uwp_reset_nonce POST requests targeting administrator user IDs
Detection Strategies
- Audit web server logs for admin-area requests containing user_id= parameters from non-administrator sessions
- Monitor changes to the uwp_usermeta table, particularly deletions or empty-string updates to avatar_thumb and banner_thumb keys
- Correlate WordPress authentication logs with avatar or banner change events to identify cross-user modifications
Monitoring Recommendations
- Enable WordPress audit logging to record profile metadata changes and the acting user for each event
- Alert when an editor or non-administrator account triggers profile reset actions targeting administrator user IDs
- Track installed UsersWP plugin versions across WordPress estates and flag any installation at version 1.2.63 or earlier
How to Mitigate CVE-2026-12102
Immediate Actions Required
- Update UsersWP to version 1.2.64 or later on all WordPress sites running the plugin
- Review the list of editor-level and higher accounts and revoke access for any that are not strictly required
- Inspect uwp_usermeta for missing avatar or banner entries on administrator and privileged accounts and restore from backup if needed
Patch Information
The fix is included in UsersWP 1.2.64. The patch adds a current_user_can( 'manage_options' ) capability check before honoring the user_id request parameter, and binds the uwp_reset_nonce to the target user ID. The same authorization pattern is added to crop_submit_form() in class-profile.php.
// Patched logic in includes/class-profile.php (1.2.64)
public function crop_submit_form( $type = 'avatar' ) {
if ( is_admin() && defined( 'IS_PROFILE_PAGE' ) && IS_PROFILE_PAGE ) {
$user_id = get_current_user_id();
} elseif ( is_admin() && current_user_can( 'manage_options' ) && ! empty( $_GET['user_id'] ) && is_numeric( $_GET['user_id'] ) ) {
$user_id = absint( $_GET['user_id'] );
} else {
$user_id = get_current_user_id();
}
ob_start();
// ...
}
Source: GitHub Commit 0e69f96
Workarounds
- Restrict the editor and higher roles to trusted personnel until the plugin is updated
- Use a web application firewall rule to block admin-area requests where a non-administrator session supplies a user_id parameter to UsersWP endpoints
- Maintain regular backups of the WordPress database so that deleted avatar_thumb and banner_thumb metadata can be restored
- Consult the Wordfence Vulnerability Intelligence entry for additional guidance
# Verify the installed UsersWP version on a WordPress host
wp plugin get userswp --field=version
# Update UsersWP to the patched release
wp plugin update userswp --version=1.2.64
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

