What the vulnerability does
01Description
Missing Authorization vulnerability in WP Event Manager WP User Profile Avatar wp-user-profile-avatar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP User Profile Avatar: from n/a through <= 1.0.6.
Explanation of Vulnerability in Simple Terms
02Summary
WP User Profile Avatar versions 1.0.6 and earlier lack proper authorization checks, allowing authenticated users to access sensitive profile information they should not see. An attacker with a low-privilege account can read other users' profile data without additional interaction. The vulnerability affects the plugin's core functionality and exposes confidential user details.
What an attacker can do
03Attacker Capabilities
Read other users' profile information and avatar data without permission.
Potential impact on your site
04Site Impact
User privacy is compromised; profile data is exposed to any authenticated user, potentially including email addresses and personal details.
Conditions required to exploit
05Prerequisites
Attacker must have a valid WordPress user account with low-level privileges (e.g., subscriber or contributor role).
Key dates
06Disclosure timeline
June 20, 2025
CVE published
April 28, 2026
Record updated