CVE-2025-49980 MEDIUM

CVE-2025-49980: WordPress WP User Profile Avatar plugin <= 1.0.6 - Broken Access Control Vulnerability

Vendor Wp Event Manager
Product WP User Profile Avatar
Weakness CWE-862 · Missing authorization
Published June 20, 2025
Last update April 28, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

Missing Authorization vulnerability in WP Event Manager WP User Profile Avatar wp-user-profile-avatar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP User Profile Avatar: from n/a through <= 1.0.6.

Explanation of Vulnerability in Simple Terms

02Summary

WP User Profile Avatar versions 1.0.6 and earlier lack proper authorization checks, allowing authenticated users to access sensitive profile information they should not see. An attacker with a low-privilege account can read other users' profile data without additional interaction. The vulnerability affects the plugin's core functionality and exposes confidential user details.

What an attacker can do

03Attacker Capabilities

Read other users' profile information and avatar data without permission.

Potential impact on your site

04Site Impact

User privacy is compromised; profile data is exposed to any authenticated user, potentially including email addresses and personal details.

Conditions required to exploit

05Prerequisites

Attacker must have a valid WordPress user account with low-level privileges (e.g., subscriber or contributor role).

Key dates

06Disclosure timeline

June 20, 2025 CVE published
April 28, 2026 Record updated