CVE-2026-12097
User Management <= 1.2 - Missing Authorization to Unauthenticated Plugin Settings Modification
CVSS Score
5.3
EPSS Score
0.0%
EPSS Percentile
0th
The User Management plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to modify the plugin's export field configuration stored in the uiewp_export_field option, controlling which user fields such as password hashes are included in CSV exports and how columns are mapped during imports.
| CWE | CWE-862 |
| Vendor | saadiqbal |
| Product | user management |
| Published | Jul 8, 2026 |
| Last Updated | Jul 8, 2026 |
Stay Ahead of the Next One
Get instant alerts for saadiqbal user management
Be the first to know when new medium vulnerabilities affecting saadiqbal user management are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
saadiqbal / User Management
0 โค 1.2
References
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/4f1d0a07-254c-4df9-90a4-966dff014df0?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/user-management/tags/1.2/includes/model.php#L853 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/user-management/tags/1.2/includes/model.php#L729 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/user-management/tags/1.2/includes/model.php#L21 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/user-management/tags/1.2/users-imp-exp-wpexperts.php#L22
Credits
haitam_lz