Vulnerabilities and security researches forwp-user-manager wp-user-manager

Nov 11, 2025

CVE, Research URL: CVE-2025-60245
Home page URL: Security reports for WP User Manager – User Profile Builder & Membership
Application: WP User Manager – User Profile Builder & Membership
Date: Nov 06, 2025
Research Description: Deserialization of Untrusted Data vulnerability in WP User Manager WP User Manager wp-user-manager allows Object Injection.This issue affects WP User Manager: from n/a through <= 2.9.12.
Affected versions: max 2.9.12.
Status: vulnerable

Nov 25, 2024

CVE, Research URL: CVE-2024-10537
Home page URL: Security reports for WP User Manager – User Profile Builder & Membership
Application: WP User Manager – User Profile Builder & Membership
Date: Nov 23, 2024
Research Description: The WP User Manager – User Profile Builder & Membership plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the validate_user_meta_key() function in all versions up to, and including, 2.9.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enumerate user meta keys.
Affected versions: max 2.9.12.
Status: vulnerable

CVE, Research URL: CVE-2024-10216
Home page URL: Security reports for WP User Manager – User Profile Builder & Membership
Application: WP User Manager – User Profile Builder & Membership
Date: Nov 23, 2024
Research Description: The WP User Manager – User Profile Builder & Membership plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'add_sidebar' and 'remove_sidebar' functions in all versions up to, and including, 2.9.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to add or remove a Carbon Fields custom sidebar if the Carbon Fields (carbon-fields) plugin is installed.
Affected versions: max 2.9.12.
Status: vulnerable

Aug 20, 2024

CVE, Research URL: CVE-2024-43336
Home page URL: Security reports for WP User Manager – User Profile Builder & Membership
Application: WP User Manager – User Profile Builder & Membership
Date: Aug 27, 2024
Research Description: Cross-Site Request Forgery (CSRF) vulnerability in WP User Manager.This issue affects WP User Manager: from n/a through 2.9.10.
Affected versions: max 2.9.11.
Status: vulnerable

Jun 07, 2024

CVE, Research URL: CVE-2021-24655
Home page URL: Security reports for WP User Manager – User Profile Builder & Membership
Application: WP User Manager – User Profile Builder & Membership
Date: Jul 17, 2022
Research Description: The WP User Manager WordPress plugin before 2.6.3 does not ensure that the user ID to reset the password of is related to the reset key given. As a result, any authenticated user can reset the password (to an arbitrary value) of any user knowing only their ID, and gain access to their account.
Affected versions: max 2.6.3.
Status: vulnerable