GHSA-crv8-pwhc-5w5p · Severity: low — The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin...
The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.63 via the 'user_id' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with editor-level access and above, to reset and permanently delete the avatar or banner image of any arbitrary user, including administrators, by clearing their avatar_thumb or banner_thumb metadata in the uwp_usermeta table.
Conclusion & alert: CVE-2026-12102 is rated Low Risk (17.6/100): CVSS Low severity, with low exploitation likelihood (EPSS 0.28%). Mandatory action: Low composite risk—no urgent action required; patch on your normal maintenance cycle and revisit priority if CVSS or EPSS increases.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-18 | — | 0.28% | — |
Full EPSS history (1 record total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 2.7 | 3.1 | LOW |
|
1.2 | 1.4 | [email protected] |
GHSA-crv8-pwhc-5w5p · Severity: low — The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin...
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| No affected products in dataset. | |||