The User Management plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to modify the plugin's export field configuration stored in the uiewp_export_field option, controlling which user fields such as password hashes are included in CSV exports and how columns are mapped during imports.
Metrics
Affected Vendors & Products
References
History
Wed, 08 Jul 2026 05:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | The User Management plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to modify the plugin's export field configuration stored in the uiewp_export_field option, controlling which user fields such as password hashes are included in CSV exports and how columns are mapped during imports. | |
| Title | User Management <= 1.2 - Missing Authorization to Unauthenticated Plugin Settings Modification | |
| Weaknesses | CWE-862 | |
| References |
|
|
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: Wordfence
Published:
Updated: 2026-07-08T05:34:08.154Z
Reserved: 2026-06-12T14:14:04.136Z
Link: CVE-2026-12097
No data.
No data.
No data.
OpenCVE Enrichment
No data.