What the vulnerability does
01Description
Missing Authorization vulnerability in vanquish User Extra Fields wp-user-extra-fields allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects User Extra Fields: from n/a through <= 16.8.
Explanation of Vulnerability in Simple Terms
02Summary
User Extra Fields versions 16.8 and earlier contain an authorization bypass that allows unauthenticated attackers to read sensitive user data. The vulnerability stems from missing access control checks on endpoints that expose user field information. No user interaction or special network conditions are required to exploit this flaw.
What an attacker can do
03Attacker Capabilities
Read sensitive user field data without authentication.
Potential impact on your site
04Site Impact
Unauthorized disclosure of user profile information stored in extra fields to anyone on the internet.
Conditions required to exploit
05Prerequisites
Network access to the affected site; no authentication or user interaction required.
Key dates
06Disclosure timeline
December 9, 2025
CVE published
April 28, 2026
Record updated