[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f7aNLmdfutd6mhcjorn7J-IEZIUFw2JTaOOpQjkcsFkQ":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-12102","userswp-insecure-direct-object-reference-to-authenticated-editor-arbitrary-user-avatarbanner-reset-via-userid-parameter","UsersWP \u003C= 1.2.63 - Insecure Direct Object Reference to Authenticated (Editor+) Arbitrary User Avatar\u002FBanner Reset via 'user_id' Parameter","The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.63 via the 'user_id' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with editor-level access and above, to reset and permanently delete the avatar or banner image of any arbitrary user, including administrators, by clearing their avatar_thumb or banner_thumb metadata in the uwp_usermeta table.","userswp",null,"\u003C=1.2.63","1.2.64","low",2.7,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:H\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Authorization Bypass Through User-Controlled Key","2026-06-17 18:09:44","2026-06-18 06:50:05",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F7115756e-69fa-42fe-bde3-a36e34d4bae3?source=api-prod",1,[22,23,24,25,26,27,28,29],"admin\u002Fsettings\u002Fclass-uwp-settings-general.php","assets\u002Fjs\u002Fusers-wp.min.js","includes\u002Fclass-activator.php","includes\u002Fclass-forms.php","includes\u002Fclass-profile.php","readme.txt","templates\u002Fbootstrap\u002Flogin.php","templates\u002Fbootstrap\u002Fmodal-profile-image.php","researched",false,3,"# Exploitation Research Plan - CVE-2026-12102\n\n## 1. Vulnerability Summary\nThe **UsersWP** plugin (\u003C= 1.2.63) contains an **Insecure Direct Object Reference (IDOR)** vulnerability in its profile image reset logic. Specifically, the `UsersWP_Forms::process_image_reset` function (called via `UsersWP_Forms::handler`) fails to perform adequate authorization checks when determining which user's avatar or banner should be reset. \n\nWhile the sister function `process_image_crop` (found in `includes\u002Fclass-forms.php`) contains a check for `manage_options` when a `user_id` is provided, the reset functionality apparently lacks this restriction or uses a lower capability check (sufficient for an **Editor**), allowing any authenticated user with Editor-level access to clear the `avatar_thumb` or `banner_thumb` metadata for any other user, including Administrators.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Fprofile.php` (or any admin-side page where `UsersWP_Forms::handler` is initialized).\n- **Hook**: Likely `admin_init` or `init` where `UsersWP_Forms::handler()` is registered.\n- **Action**: `POST` request with the parameter `uwp_avatar_reset` or `uwp_banner_reset`.\n- **Vulnerable Parameter**: `user_id` (passed via `GET` or `POST`).\n- **Required Authentication**: Authenticated (Editor or higher).\n- **Preconditions**: The target user (e.g., Administrator) must have an avatar or banner set in the `uwp_usermeta` table.\n\n## 3. Code Flow\n1.  **Entry Point**: A `POST` request is sent to an administrative page (e.g., `\u002Fwp-admin\u002Fprofile.php?user_id=1`).\n2.  **Trigger**: `UsersWP_Forms::handler()` in `includes\u002Fclass-forms.php` checks for the presence of `$_POST['uwp_avatar_reset']` or `$_POST['uwp_banner_reset']`.\n3.  **Vulnerable Call**: `handler()` calls `$this->process_image_reset( 'avatar' )` or `$this->process_image_reset( 'banner' )`.\n4.  **IDOR Sink**: Inside `process_image_reset()`, the code extracts the target `user_id` from the request (likely `$_GET['user_id']` or `$_POST['user_id']`). \n5.  **Authorization Failure**: The function fails to verify if the current user has permission to modify the target `user_id`.\n6.  **Metadata Deletion**: The function calls `uwp_delete_usermeta( $user_id, 'avatar_thumb' )` or similar, clearing the data in the `uwp_usermeta` table.\n\n## 4. Nonce Acquisition Strategy\nThe reset operation is protected by a nonce check. Based on `templates\u002Fbootstrap\u002Fmodal-profile-image.php`, the nonce is generated using `wp_create_nonce( 'uwp_reset_nonce_' . $type )`.\n\n### Step-by-Step Acquisition:\n1.  **Identify Action**: The AJAX action `uwp_ajax_image_crop_popup_form` returns the HTML modal containing the required nonce.\n2.  **Navigate\u002FExecute**: Use the `http_request` tool to perform an authenticated AJAX call as the Editor.\n3.  **AJAX Request**:\n    ```http\n    POST \u002Fwp-admin\u002Fadmin-ajax.php\n    Content-Type: application\u002Fx-www-form-urlencoded\n\n    action=uwp_ajax_image_crop_popup_form&type=avatar&style=bootstrap\n    ```\n4.  **Extract Nonce**: Parse the response HTML for the input field:\n    `\u003Cinput type=\"hidden\" name=\"uwp_reset_nonce\" id=\"uwp_reset_nonce\" value=\"[NONCE_VALUE]\">`\n5.  **JS Variable (Fallback)**: If the plugin localizes data, check `window.uwp_localize_data` using `browser_eval`.\n\n## 5. Exploitation Strategy\n1.  **Authentication**: Log in as a user with the **Editor** role.\n2.  **Target Identification**: Identify the `user_id` of the target Administrator (usually `1`).\n3.  **Nonce Retrieval**: Perform the AJAX call described in Section 4 to obtain a valid `uwp_reset_nonce`.\n4.  **Exploit Request**: Send a `POST` request to `\u002Fwp-admin\u002Fprofile.php` targeting the Administrator.\n    - **URL**: `\u002Fwp-admin\u002Fprofile.php?user_id=1`\n    - **Method**: `POST`\n    - **Body Parameters**:\n        - `uwp_avatar_reset`: `1`\n        - `uwp_reset_nonce`: `[EXTRACTED_NONCE]`\n        - `user_id`: `1`\n5.  **Headers**: Ensure `Cookie` header for the Editor session is included.\n\n## 6. Test Data Setup\n1.  **Target User**: Ensure User ID 1 (Admin) exists.\n2.  **Avatar Metadata**: Manually set or upload an avatar for User ID 1 so that the `avatar_thumb` key exists in the `uwp_usermeta` table.\n    ```bash\n    wp db query \"INSERT INTO wp_uwp_usermeta (user_id, meta_key, meta_value) VALUES (1, 'avatar_thumb', 'https:\u002F\u002Fexample.com\u002Favatar.jpg')\"\n    ```\n3.  **Attacker User**: Create a user with the `editor` role.\n    ```bash\n    wp user create attacker attacker@example.com --role=editor --user_pass=password123\n    ```\n\n## 7. Expected Results\n- The server should respond with a redirect or a success message (`Avatar","The UsersWP plugin for WordPress is vulnerable to an Insecure Direct Object Reference (IDOR) in versions up to 1.2.63. This allows authenticated attackers with Editor-level access or higher to reset the avatar or banner of any arbitrary user, including administrators, by manipulating the 'user_id' parameter.","\u002F\u002F includes\u002Fclass-forms.php, line 76\n\n\t\t} elseif ( isset( $_POST['uwp_avatar_reset'] ) ) {\n\t\t\t$errors = $this->process_image_reset( 'avatar' );\n\t\t\tif ( ! is_wp_error( $errors ) ) {\n\t\t\t\t$redirect = $errors;\n\t\t\t}\n\t\t\t$message   = __( 'Avatar reset successfully.', 'userswp' );\n\t\t\t$processed = true;\n\t\t} elseif ( isset( $_POST['uwp_banner_reset'] ) ) {\n\t\t\t$errors = $this->process_image_reset( 'banner' );\n\t\t\tif ( ! is_wp_error( $errors ) ) {\n\t\t\t\t$redirect = $errors;\n\t\t\t}\n\t\t\t$message   = __( 'Banner reset successfully.', 'userswp' );\n\t\t\t$processed = true;\n\t\t}\n\n---\n\n\u002F\u002F includes\u002Fclass-forms.php (Inferred vulnerable implementation of process_image_reset)\n\n\tpublic function process_image_reset( $type = 'avatar' ) {\n\t\tif ( ! is_user_logged_in() ) {\n\t\t\treturn false;\n\t\t}\n\n\t\tif ( empty( $_POST['uwp_reset_nonce'] ) || ! wp_verify_nonce( $_POST['uwp_reset_nonce'], 'uwp_reset_nonce_' . $type ) ) {\n\t\t\treturn;\n\t\t}\n\n\t\t\u002F\u002F Vulnerable: user_id is taken from request without verifying permissions to edit the specific user\n\t\t$user_id = ! empty( $_REQUEST['user_id'] ) ? absint( $_REQUEST['user_id'] ) : get_current_user_id();\n\n\t\t$current_field = 'avatar' === $type ? 'avatar_thumb' : 'banner_thumb';\n\t\treturn uwp_delete_usermeta( $user_id, $current_field );\n\t}","--- includes\u002Fclass-forms.php\n+++ includes\u002Fclass-forms.php\n@@ -200,6 +200,16 @@\n \tpublic function process_image_reset( $type = 'avatar' ) {\n \t\tif ( ! is_user_logged_in() ) {\n \t\t\treturn false;\n \t\t}\n \n \t\tif ( empty( $_POST['uwp_reset_nonce'] ) || ! wp_verify_nonce( $_POST['uwp_reset_nonce'], 'uwp_reset_nonce_' . $type ) ) {\n \t\t\treturn;\n \t\t}\n \n-\t\t$user_id = ! empty( $_REQUEST['user_id'] ) ? absint( $_REQUEST['user_id'] ) : get_current_user_id();\n+\t\tif ( is_admin() && current_user_can( 'manage_options' ) && ! empty( $_REQUEST['user_id'] ) ) {\n+\t\t\t$user_id = absint( $_REQUEST['user_id'] );\n+\t\t} else {\n+\t\t\t$user_id = get_current_user_id();\n+\t\t}\n \n \t\t$current_field = 'avatar' === $type ? 'avatar_thumb' : 'banner_thumb';","The exploit methodology targets the UsersWP profile reset logic through an administrative endpoint. \n1. Authenticate as a user with Editor-level privileges (who have access to the admin dashboard but normally cannot edit administrator profiles).\n2. Acquire a valid 'uwp_reset_nonce' by triggering the AJAX action 'uwp_ajax_image_crop_popup_form' with the target 'type' (avatar or banner). The server returns the HTML for a modal containing the hidden nonce field.\n3. Identify the 'user_id' of the target user (e.g., User ID 1 for the site administrator).\n4. Submit a POST request to '\u002Fwp-admin\u002Fprofile.php' (or similar admin-side profile pages) containing the parameter 'uwp_avatar_reset=1' (or 'uwp_banner_reset=1'), the targeted 'user_id', and the acquired 'uwp_reset_nonce'.\n5. Because the vulnerable function prioritizes the 'user_id' from the request without validating if the current user has 'manage_options' capabilities for that specific ID, the plugin deletes the target user's 'avatar_thumb' or 'banner_thumb' metadata.","gemini-3-flash-preview","2026-06-25 21:40:09","2026-06-25 21:41:03",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","1.2.63","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fuserswp\u002Ftags\u002F1.2.63","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fuserswp.1.2.63.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fuserswp\u002Ftags\u002F1.2.64","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fuserswp.1.2.64.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fuserswp\u002Ftags"]