Simple User Avatar <= 4.9 - Authenticated (Subscriber+) Insecure Direct Object Reference
2026-06-29 00:00
Ananda DhakalStrategic Overview
StatusPatched in 5.0
Affected PluginSimple User Avatar
Affected Version
<= 4.9CVSS4.3Medium
CVE
CVE-2026-57676Vulnerability Overview
The Simple User Avatar plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.9 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.
Technical Analysis
REMEDIATION: Update to version 5.0, or a newer patched version --- IDENTIFIER: CWE-639 (Authorization Bypass Through User-Controlled Key) The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
External References
Vulnerability data © Defiant, Inc., provided under the Wordfence Intelligence T&C