CVE-2026-12102

The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.63 via the 'userid' parameter due to missing validation on a user controlled key...

CVE-2026-42174 Kirby: User avatar creation, replacement and deletion are not gated by user update permissions

Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, user avatar creation, replacement and deletion are not gated by user update permissions. This issue has been patched in versions 4.9.0 and 5.4.0...

CVE-2026-42174

Kirby CMS (CVE-2026-42174) is vulnerable prior to updates 4.9.0 and 5.4.0: user avatars could be created, replaced, or deleted without proper user.update/users.update permission checks. The root cause is missing authorization gating for avatar actions, allowing users with only file permissions to...

CVE-2026-30842

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, Wallos allows an authenticated user to delete avatar files uploaded by other users. The avatar deletion endpoint does not verify that the requested avatar belongs to the current user. As a result, any...

CVE-2026-30842

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, Wallos allows an authenticated user to delete avatar files uploaded by other users. The avatar deletion endpoint does not verify that the requested avatar belongs to the current user. As a result, any...

EUVD-2026-10122

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, Wallos allows an authenticated user to delete avatar files uploaded by other users. The avatar deletion endpoint does not verify that the requested avatar belongs to the current user. As a result, any...

CVE-2026-30842 Wallos: Authenticated Missing Authorization Allows Deletion of Other Users’ Uploaded Avatars

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, Wallos allows an authenticated user to delete avatar files uploaded by other users. The avatar deletion endpoint does not verify that the requested avatar belongs to the current user. As a result, any...

CVE-2026-30842 Wallos: Authenticated Missing Authorization Allows Deletion of Other Users’ Uploaded Avatars

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, Wallos allows an authenticated user to delete avatar files uploaded by other users. The avatar deletion endpoint does not verify that the requested avatar belongs to the current user. As a result, any...

CVE-2026-30842 Wallos: Authenticated Missing Authorization Allows Deletion of Other Users’ Uploaded Avatars

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, Wallos allows an authenticated user to delete avatar files uploaded by other users. The avatar deletion endpoint does not verify that the requested avatar belongs to the current user. As a result, any...

PT-2026-23827

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, Wallos allows an authenticated user to delete avatar files uploaded by other users. The avatar deletion endpoint does not verify that the requested avatar belongs to the current user. As a result, any...

EUVD-2023-58157

Malicious code in bioql PyPI...

PT-2025-4306 · Unknown · Clipbucket

Name of the Vulnerable Software and Affected Versions: ClipBucket V5 versions prior to 5.5.1 - 237 Description: The issue arises during the user avatar upload workflow, where a user can upload and change their avatar at any time. During deletion, ClipBucket checks if the avatar url is a filepath...

CVE-2023-6384

The WP User Profile Avatar WordPress plugin before 1.0.1 does not properly check for authorisation, allowing authors to delete and update arbitrary avatar...

CVE-2023-5884

The Word Balloon WordPress plugin before 4.20.3 does not protect some of its actions against CSRF attacks, allowing an unauthenticated attacker to trick a logged in user to delete arbitrary avatars by clicking a link...

WordPress plugin Word Balloon security vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A security vulnerability in the WordPress...

PT-2023-32393 · WordPress · Word Balloon

Name of the Vulnerable Software and Affected Versions: Word Balloon WordPress plugin versions prior to 4.20.3 Description: The issue allows an unauthenticated attacker to trick a logged-in user into deleting arbitrary avatars by clicking a link, due to a lack of protection against CSRF attacks in...

CVE-2022-4030

The Simple:Press plugin for WordPress is vulnerable to Path Traversal in versions up to, and including, 6.8 via the 'file' parameter which can be manipulated during user avatar deletion. This makes it possible with attackers, with minimal permissions such as a subscriber, to supply paths to...

CVE-2022-4030

The CVE-2022-4030 entry concerns the WordPress Simple:Press plugin (versions up to 6.8). It describes a path-traversal flaw in the file parameter used during user avatar deletion, which could allow an attacker with minimal privileges (e.g., a subscriber) to reference and delete arbitrary server f...

CVE-2022-4030 Simple:Press <= 6.8 - Authenticated (Subscriber+) Path Traversal to Arbitrary File Deletion

The Simple:Press plugin for WordPress is vulnerable to Path Traversal in versions up to, and including, 6.8 via the 'file' parameter which can be manipulated during user avatar deletion. This makes it possible with attackers, with minimal permissions such as a subscriber, to supply paths to...

CVE-2022-4030

The Simple:Press plugin for WordPress is vulnerable to Path Traversal in versions up to, and including, 6.8 via the 'file' parameter which can be manipulated during user avatar deletion. This makes it possible with attackers, with minimal permissions such as a subscriber, to supply paths to...