CVE Catalog

CVE-2026-57676

MediumCVSS 4.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.18%

8th percentile — higher than 8% of all known CVEs

Summary

The Simple User Avatar plugin for WordPress contains an authorization bypass vulnerability through a user-controlled key. This allows exploiting incorrectly configured access control security levels.

Risk Assessment

An attacker can gain unauthorized access to functions or data they should not have permissions for, potentially leading to confidentiality and integrity breaches.

Recommendation

Immediately update the Simple User Avatar plugin to the latest available version that fixes this vulnerability. If no update is available, consider temporarily disabling the plugin.

Original NVD description (English source)

Authorization Bypass Through User-Controlled Key vulnerability in Matteo Manna Simple User Avatar allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Simple User Avatar: from n/a through 4.9.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS