cleantalk
Vulnerabilities and Security Researches

UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress, CVE-2026-12102

CVE, Research URL

CVE-2026-12102

Home page URL

Security reports for UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress

Application

UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress

Published on
Jun 18, 2026
Research Description
The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.63 via the 'user_id' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with editor-level access and above, to reset and permanently delete the avatar or banner image of any arbitrary user, including administrators, by clearing their avatar_thumb or banner_thumb metadata in the uwp_usermeta table.
Affected versions
max 1.2.64.
Status
vulnerable
Previous vulnerability researches
Web Push Notifications by PushEngage: WordPress Push Notifications to Supercharge Your Engagement (CVE-2026-52698) , Jun 19, 2026
New vulnerability
WP Scraper (CVE-2025-69129) , Jun 19, 2026
WP Scraper (CVE-2025-69131) , Jun 19, 2026
UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress (CVE-2026-12102) , Jun 19, 2026
Popup Box – Best WordPress Popup Plugin (CVE-2026-54192) , Jun 19, 2026
Simple Membership (CVE-2026-12093) , Jun 19, 2026