Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-12102

CVE-2026-12102: UsersWP WordPress Auth Bypass Vulnerability

CVE-2026-12102 is an authentication bypass flaw in the UsersWP WordPress plugin allowing editor-level attackers to delete user avatars and banners. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-12102 Overview

CVE-2026-12102 is an Insecure Direct Object Reference (IDOR) vulnerability in the UsersWP WordPress plugin, which provides front-end login forms, user registration, user profiles, and a members directory. The flaw affects all versions of UsersWP up to and including 1.2.63. It originates from missing validation on a user-controlled user_id parameter in the avatar and banner reset flow. Authenticated attackers with editor-level access or above can reset and permanently delete the avatar or banner image of any user, including administrators, by clearing avatar_thumb or banner_thumb metadata in the uwp_usermeta table.

Critical Impact

Editor-level attackers can permanently delete avatar and banner images of arbitrary WordPress users, including administrators, by abusing the unvalidated user_id parameter.

Affected Products

  • UsersWP plugin for WordPress, versions up to and including 1.2.63
  • WordPress sites using UsersWP front-end login form, user registration, user profile, and members directory functionality
  • Sites where editor-level or higher accounts are issued to untrusted users

Discovery Timeline

  • 2026-06-18 - CVE-2026-12102 published to NVD
  • 2026-06-18 - Last updated in NVD database

Technical Details for CVE-2026-12102

Vulnerability Analysis

The vulnerability is classified as Insecure Direct Object Reference [CWE-639]. The UsersWP plugin exposes avatar and banner reset functionality through class-forms.php and class-profile.php. The code paths accept a user_id parameter from the request and act on the matching record in the uwp_usermeta table without verifying that the requesting user is authorized to modify that target. An authenticated user with the editor capability set can submit a crafted request that resets the avatar_thumb or banner_thumb metadata for any user ID, including administrator accounts. The result is permanent deletion of the targeted profile imagery.

Root Cause

The root cause is missing authorization validation on a user-controlled key. The pre-patch logic in class-forms.php accepted any numeric user_id from $_GET while in the admin context, without checking the acting user's capability against the target user. The nonce was also scoped only by $type, not by the target user ID, allowing reuse across arbitrary user identifiers.

Attack Vector

Exploitation requires an authenticated session at editor level or above. The attacker issues a request to the avatar or banner reset endpoint, supplies the victim's numeric user_id, and includes a valid uwp_reset_nonce. The server processes the request and clears the corresponding metadata entries in uwp_usermeta, removing the victim's avatar or banner.

php
// Pre-patch logic in includes/class-forms.php (vulnerable)
if ( empty( $_POST['uwp_reset_nonce'] ) || ! wp_verify_nonce( $_POST['uwp_reset_nonce'], 'uwp_reset_nonce_' . $type ) ) {
    return;
}

if ( is_admin() && defined( 'IS_PROFILE_PAGE' ) && IS_PROFILE_PAGE ) {
    $user_id = get_current_user_id();
} elseif ( is_admin() && ! empty( $_GET['user_id'] ) && is_numeric( $_GET['user_id'] ) ) {
    // No capability check - any admin-area user can target another user_id
    $user_id = absint( $_GET['user_id'] );
} else {
    $user_id = get_current_user_id();
}

Source: GitHub Commit 0e69f96

Detection Methods for CVE-2026-12102

Indicators of Compromise

  • Unexpected removal of administrator or high-privilege user avatars or banners in the UsersWP front-end and members directory
  • Rows missing avatar_thumb or banner_thumb entries in the uwp_usermeta table for users who previously had images set
  • WordPress access logs showing requests to UsersWP profile or form endpoints carrying a user_id query parameter that does not match the requester's own user ID
  • Editor-role accounts submitting uwp_reset_nonce POST requests targeting administrator user IDs

Detection Strategies

  • Audit web server logs for admin-area requests containing user_id= parameters from non-administrator sessions
  • Monitor changes to the uwp_usermeta table, particularly deletions or empty-string updates to avatar_thumb and banner_thumb keys
  • Correlate WordPress authentication logs with avatar or banner change events to identify cross-user modifications

Monitoring Recommendations

  • Enable WordPress audit logging to record profile metadata changes and the acting user for each event
  • Alert when an editor or non-administrator account triggers profile reset actions targeting administrator user IDs
  • Track installed UsersWP plugin versions across WordPress estates and flag any installation at version 1.2.63 or earlier

How to Mitigate CVE-2026-12102

Immediate Actions Required

  • Update UsersWP to version 1.2.64 or later on all WordPress sites running the plugin
  • Review the list of editor-level and higher accounts and revoke access for any that are not strictly required
  • Inspect uwp_usermeta for missing avatar or banner entries on administrator and privileged accounts and restore from backup if needed

Patch Information

The fix is included in UsersWP 1.2.64. The patch adds a current_user_can( 'manage_options' ) capability check before honoring the user_id request parameter, and binds the uwp_reset_nonce to the target user ID. The same authorization pattern is added to crop_submit_form() in class-profile.php.

php
// Patched logic in includes/class-profile.php (1.2.64)
public function crop_submit_form( $type = 'avatar' ) {

    if ( is_admin() && defined( 'IS_PROFILE_PAGE' ) && IS_PROFILE_PAGE ) {
        $user_id = get_current_user_id();
    } elseif ( is_admin() && current_user_can( 'manage_options' ) && ! empty( $_GET['user_id'] ) && is_numeric( $_GET['user_id'] ) ) {
        $user_id = absint( $_GET['user_id'] );
    } else {
        $user_id = get_current_user_id();
    }

    ob_start();
    // ...
}

Source: GitHub Commit 0e69f96

Workarounds

  • Restrict the editor and higher roles to trusted personnel until the plugin is updated
  • Use a web application firewall rule to block admin-area requests where a non-administrator session supplies a user_id parameter to UsersWP endpoints
  • Maintain regular backups of the WordPress database so that deleted avatar_thumb and banner_thumb metadata can be restored
  • Consult the Wordfence Vulnerability Intelligence entry for additional guidance
bash
# Verify the installed UsersWP version on a WordPress host
wp plugin get userswp --field=version

# Update UsersWP to the patched release
wp plugin update userswp --version=1.2.64

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.