{"id":"CVE-2026-12102","summary":"UsersWP \u003c= 1.2.63 - Insecure Direct Object Reference to Authenticated (Editor+) Arbitrary User Avatar/Banner Reset via 'user_id' Parameter","details":"The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.63 via the 'user_id' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with editor-level access and above, to reset and permanently delete the avatar or banner image of any arbitrary user, including administrators, by clearing their avatar_thumb or banner_thumb metadata in the uwp_usermeta table.","modified":"2026-07-08T08:12:22.743000007Z","published":"2026-06-18T06:50:05.344Z","database_specific":{"cwe_ids":["CWE-639"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/12xxx/CVE-2026-12102.json","cna_assigner":"Wordfence"},"references":[{"type":"WEB","url":"https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.61/includes/class-forms.php#L371"},{"type":"WEB","url":"https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.61/includes/class-forms.php#L389"},{"type":"WEB","url":"https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.61/includes/class-forms.php#L89"},{"type":"WEB","url":"https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.61/includes/class-profile.php#L1739"},{"type":"WEB","url":"https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.61/includes/class-userswp.php#L574"},{"type":"WEB","url":"https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.63/includes/class-forms.php#L371"},{"type":"WEB","url":"https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.63/includes/class-forms.php#L389"},{"type":"WEB","url":"https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.63/includes/class-forms.php#L89"},{"type":"WEB","url":"https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.63/includes/class-profile.php#L1739"},{"type":"WEB","url":"https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.63/includes/class-userswp.php#L574"},{"type":"WEB","url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/7115756e-69fa-42fe-bde3-a36e34d4bae3?source=cve"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/12xxx/CVE-2026-12102.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-12102"},{"type":"FIX","url":"https://github.com/AyeCode/userswp/commit/0e69f967578904cc26fadd0206270d50b7420298"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ayecode/userswp","events":[{"introduced":"0"},{"fixed":"0e69f967578904cc26fadd0206270d50b7420298"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"last_affected":"1.2.63"}],"source":["AFFECTED_FIELD","REFERENCES"]}}],"versions":["1.2.63","1.2.62","1.2.61","1.2.60","1.2.59","1.2.58","1.2.57","1.2.56","1.2.55","1.2.54","1.2.53","1.2.52","1.2.51","1.2.50","1.2.49","1.2.48","1.2.47","1.2.46","1.2.45","1.2.44","1.2.43","1.2.42","1.2.41","1.2.40","1.2.39","1.2.38","1.2.37","1.2.36","1.2.35","1.2.34","1.2.33","1.2.32","1.2.31","1.2.30","1.2.29","1.2.28","1.2.27","1.2.26","1.2.25","1.2.24","1.2.23","1.2.20","1.2.19","1.2.18","1.2.17","1.2.16","1.2.15","1.2.14","1.2.13","1.2.12","1.2.11","1.2.10","1.2.9","1.2.8","1.2.7","1.2.6","1.2.5","1.2.4","1.2.3.24","1.2.3.23","1.2.3.22","1.2.3.21","1.2.3.20","1.2.3.19","1.2.3.18","1.2.3.17","1.2.3.16","1.2.3.15","1.2.3.14","1.2.3.13","1.2.3.12","1.2.3.11","1.2.3.10","1.2.3.9","1.2.3.8","1.2.3.7","1.2.3.6","1.2.3.5","1.2.3.4","1.2.3.3","1.2.3.2","1.2.3.1","1.2.3","1.2.2.37","1.2.2.36","1.2.2.35","1.2.2.34","1.2.2.33","1.2.2.32","1.2.2.31","1.2.2.30","1.2.2.29","1.2.2.28","1.2.2.27","1.2.2.26","1.2.2.25","1.2.2.24","1.2.2.23","1.2.2.22","1.2.2.21","1.2.2.20","1.2.2.19","1.2.2.18","1.2.2.17","1.2.2.16","1.2.2.15","1.2.2.14","1.2.2.13","1.2.2.12","1.2.2.11","1.2.2.10","1.2.2.9","1.2.2.8","1.2.2.7","1.2.2.6","1.2.2.5","1.2.2.4","1.2.2.3","1.2.2.2","1.2.2.1","1.2.2","1.2.1.9","1.2.1.8","1.2.1.7","1.2.1.6","1.2.1.5","1.2.1.4","1.2.1.3","1.2.1.2","1.2.1.1","1.2.1","1.2.0.12","1.2.0.11","1.2.0.10","1.2.0.9","1.2.0.8","1.2.0.7","1.2.0.6","1.2.0.5","1.2.0.4","1.2.0.3","1.2.0.2","1.2.0.1","1.2.0","1.1.3","1.1.2","1.1.1","1.1.0","1.0.24","1.0.23","1.0.22","1.0.21","1.0.20","1.0.19","1.0.18","1.0.17","1.0.16","1.0.15","1.0.14","1.0.13","1.0.12","1.0.10","1.0.11","1.0.9","1.0.8","1.0.7","1.0.6","1.0.5","1.0.4","1.0.3","1.0.2","1.0.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-12102.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N"}]}