Browse all 3 CVE security advisories affecting wpusermanager. AI-powered Chinese analysis, POCs, and references for each vulnerability.
wpusermanager is a WordPress plugin designed for user management and access control. Historically, it has been vulnerable to multiple security issues including remote code execution, cross-site scripting, and privilege escalation vulnerabilities. The plugin has accumulated three CVE records, highlighting recurring security flaws in input validation and access control mechanisms. These vulnerabilities have allowed attackers to execute arbitrary code, steal session cookies, and elevate privileges to administrator levels. The consistent pattern of security issues suggests fundamental weaknesses in the plugin's architecture and development practices, making it a significant risk for WordPress installations that haven't been properly secured or updated.
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2025-13320 | WP User Manager <= 2.9.12 - Authenticated (Subscriber+) Arbitrary File Deletion via 'current_user_avatar' Parameter — WP User Manager – User Profile Builder & MembershipCWE-73 | 6.8 | Medium | 2025-12-12 |
| CVE-2024-10537 | WP User Manager – User Profile Builder & Membership <= 2.9.11 - Missing Authorization to Authenticated (Subscriber+) User Meta Key Enumeration — WP User Manager – User Profile Builder & MembershipCWE-862 | 4.3 | Medium | 2024-11-23 |
| CVE-2024-10216 | WP User Manager – User Profile Builder & Membership <= 2.9.11 - Missing Authorization to Carbon Fields Custom Sidebar Addition/Removal — WP User Manager – User Profile Builder & MembershipCWE-862 | 4.3 | Medium | 2024-11-23 |
This page lists every published CVE security advisory associated with wpusermanager. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.