๐Ÿ” CVE Alert

CVE-2026-12097

MEDIUM 5.3

User Management <= 1.2 - Missing Authorization to Unauthenticated Plugin Settings Modification

CVSS Score
5.3
EPSS Score
0.0%
EPSS Percentile
0th

The User Management plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to modify the plugin's export field configuration stored in the uiewp_export_field option, controlling which user fields such as password hashes are included in CSV exports and how columns are mapped during imports.

CWE CWE-862
Vendor saadiqbal
Product user management
Published Jul 8, 2026
Last Updated Jul 8, 2026
Stay Ahead of the Next One

Get instant alerts for saadiqbal user management

Be the first to know when new medium vulnerabilities affecting saadiqbal user management are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability

Affected Versions

saadiqbal / User Management
0 โ‰ค 1.2

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/4f1d0a07-254c-4df9-90a4-966dff014df0?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/user-management/tags/1.2/includes/model.php#L853 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/user-management/tags/1.2/includes/model.php#L729 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/user-management/tags/1.2/includes/model.php#L21 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/user-management/tags/1.2/users-imp-exp-wpexperts.php#L22

Credits

haitam_lz