WP User Manager Vulnerability Disclosure Program (original) (raw)

Vulnerability history

1 present

4 fixed

2 Mitigation rules

• Authenticated (Subscriber+) Arbitrary File Deletion via 'current_user_avatar' Parameter vulnerability<= 2.9.12Dec 12, 2025
• PHP Object Injection vulnerability<= 2.9.12May 19, 2025
• Missing Authorization to Authenticated (Subscriber+) User Meta Key Enumeration vulnerability<= 2.9.11Nov 22, 2024
• Missing Authorization to Carbon Fields Custom Sidebar Addition/Removal vulnerability<= 2.9.11Nov 22, 2024
• Cross Site Request Forgery (CSRF) vulnerability<= 2.9.10Aug 16, 2024