cleantalk
Vulnerabilities and Security Researches

WP User Manager – User Profile Builder & Membership, CVE-2024-10216

CVE, Research URL

CVE-2024-10216

Home page URL

Security reports for WP User Manager – User Profile Builder & Membership

Application

WP User Manager – User Profile Builder & Membership

Published on
Nov 23, 2024
Research Description
The WP User Manager – User Profile Builder & Membership plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'add_sidebar' and 'remove_sidebar' functions in all versions up to, and including, 2.9.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to add or remove a Carbon Fields custom sidebar if the Carbon Fields (carbon-fields) plugin is installed.
Affected versions
max 2.9.12.
Status
vulnerable
Previous vulnerability researches
WP User Manager – User Profile Builder & Membership (CVE-2021-24655) , Jun 07, 2024
WP User Manager – User Profile Builder & Membership (CVE-2024-10537) , Nov 25, 2024
WP User Manager – User Profile Builder & Membership (CVE-2024-10216) , Nov 25, 2024
WP User Manager – User Profile Builder & Membership (CVE-2025-60245) , Nov 11, 2025
WP User Manager – User Profile Builder & Membership (CVE-2024-43336) , Aug 20, 2024
New vulnerability
JB News Ticker (CVE-2025-11804) , Nov 11, 2025
My auctions allegro (CVE-2025-10048) , Nov 11, 2025
Sertifier Certificates & Open Badges – Tutor LMS (CVE-2025-53214) , Nov 11, 2025
Toast Mobile Menu – PageSpeed Insights Friendly (CVE-2025-53238) , Nov 11, 2025
Stripe Payment forms for WordPress Plugin – WP Full Pay (CVE-2025-9322) , Nov 11, 2025