cleantalk
Vulnerabilities and Security Researches

Vulnerabilities and security researches forwp-user-manager wp-user-manager

Direction: ascending
Jun 07, 2024

WP User Manager – User Profile Builder & Membership # CVE-2021-24655

CVE, Research URL

CVE-2021-24655

Home page URL

Security reports for WP User Manager – User Profile Builder & Membership

Application

WP User Manager – User Profile Builder & Membership

Date
Jul 17, 2022
Research Description
The WP User Manager WordPress plugin before 2.6.3 does not ensure that the user ID to reset the password of is related to the reset key given. As a result, any authenticated user can reset the password (to an arbitrary value) of any user knowing only their ID, and gain access to their account.
Affected versions
max 2.6.3.
Status
vulnerable
Aug 20, 2024

WP User Manager – User Profile Builder & Membership # CVE-2024-43336

CVE, Research URL

CVE-2024-43336

Home page URL

Security reports for WP User Manager – User Profile Builder & Membership

Application

WP User Manager – User Profile Builder & Membership

Date
Aug 27, 2024
Research Description
Cross-Site Request Forgery (CSRF) vulnerability in WP User Manager.This issue affects WP User Manager: from n/a through 2.9.10.
Affected versions
max 2.9.11.
Status
vulnerable
Nov 25, 2024

WP User Manager – User Profile Builder & Membership # CVE-2024-10537

CVE, Research URL

CVE-2024-10537

Home page URL

Security reports for WP User Manager – User Profile Builder & Membership

Application

WP User Manager – User Profile Builder & Membership

Date
Nov 23, 2024
Research Description
The WP User Manager – User Profile Builder & Membership plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the validate_user_meta_key() function in all versions up to, and including, 2.9.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enumerate user meta keys.
Affected versions
max 2.9.12.
Status
vulnerable

WP User Manager – User Profile Builder & Membership # CVE-2024-10216

CVE, Research URL

CVE-2024-10216

Home page URL

Security reports for WP User Manager – User Profile Builder & Membership

Application

WP User Manager – User Profile Builder & Membership

Date
Nov 23, 2024
Research Description
The WP User Manager – User Profile Builder & Membership plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'add_sidebar' and 'remove_sidebar' functions in all versions up to, and including, 2.9.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to add or remove a Carbon Fields custom sidebar if the Carbon Fields (carbon-fields) plugin is installed.
Affected versions
max 2.9.12.
Status
vulnerable
Nov 11, 2025

WP User Manager – User Profile Builder & Membership # CVE-2025-60245

CVE, Research URL

CVE-2025-60245

Home page URL

Security reports for WP User Manager – User Profile Builder & Membership

Application

WP User Manager – User Profile Builder & Membership

Date
Nov 06, 2025
Research Description
Deserialization of Untrusted Data vulnerability in WP User Manager WP User Manager wp-user-manager allows Object Injection.This issue affects WP User Manager: from n/a through <= 2.9.12.
Affected versions
max 2.9.12.
Status
vulnerable