CVE-2026-57676

🗓️ 29 Jun 2026 08:19:51Reported by PatchstackType

WordPress Simple User Avatar plugin up to 4.9 allows authorization bypass via a user controlled key.

Reporter	Title	Published	Views	Family All 6
ATTACKERKB	CVE-2026-57676	29 Jun 202608:19	–	attackerkb
Cvelist	CVE-2026-57676 WordPress Simple User Avatar plugin <= 4.9 - Insecure Direct Object References (IDOR) vulnerability	29 Jun 202608:19	–	cvelist
EUVD	EUVD-2026-40056	29 Jun 202608:19	–	euvd
NVD	CVE-2026-57676	29 Jun 202609:16	–	nvd
Patchstack	WordPress Simple User Avatar plugin <= 4.9 - Insecure Direct Object References (IDOR) vulnerability	29 Jun 202608:18	–	patchstack
Positive Technologies	PT-2026-53236	29 Jun 202600:00	–	ptsecurity

Vulners

Node

matteo_manna simple_user_avatarRange≤4.9wordpress

[
  {
    "vendor": "Matteo Manna",
    "product": "Simple User Avatar",
    "collectionURL": "https://wordpress.org/plugins",
    "packageName": "simple-user-avatar",
    "versions": [
      {
        "status": "affected",
        "version": "n/a",
        "lessThanOrEqual": "4.9",
        "changes": [
          {
            "at": "5.0",
            "status": "unaffected"
          }
        ],
        "versionType": "custom"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

Source	Link
patchstack	www.patchstack.com/database/wordpress/plugin/simple-user-avatar/vulnerability/wordpress-simple-user-avatar-plugin-4-9-insecure-direct-object-references-idor-vulnerability

29 Jun 2026 09:16Current

5.8Medium risk

Vulners AI Score5.8

CVSS 3.14.3

CWE-639