Primary

Context

User Profile Builder WordPress Plugin Insecure Direct Object Reference Vulnerability

Vulnerability

A vulnerability allowing Insecure Direct Object Reference has been identified in the User Profile Builder WordPress plugin, specifically in versions 3.15.5 and earlier. The issue arises in the wppb_save_avatar_value() function, where validation is lacking on a user-controlled key. This flaw enables authenticated attackers with subscriber-level access or higher to change the ownership of any post or attachment by modifying the 'post_author' field.

Impact

Exploitation of this vulnerability allows for unauthorized reassignment of post and attachment ownership, potentially leading to misuse of post authorship privileges.

Remediation

Users are advised to update the User Profile Builder plugin to version 3.15.6 or later.

Added: Mar 31, 2026, 12:21 PM

Updated: Mar 31, 2026, 12:21 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

5.9

remediation

0.0

relevance

5.0

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

5.9

remediation

0.0

relevance

5.0

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

User Profile Builder WordPress Plugin Insecure Direct Object Reference Vulnerability

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating