Zero Day MonitorZDM
DashboardVulnerabilitiesTrendingZero-DaysNewsAbout
Login
ImpressumPrivacy Policy
Zero Day Monitor © 2026
4024 articles · 176782 vulns · 36/41 feeds (7d)
← Back to list
5.3
CVE-2026-12097EXPLOITED
wordpress · user management

User Management <= 1.2 - Missing Authorization to Unauthenticated Plugin Settings Modification

Description

The User Management plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to modify the plugin's export field configuration stored in the uiewp_export_field option, controlling which user fields such as password hashes are included in CSV exports and how columns are mapped during imports.

Affected Products

VendorProductVersions
wordpressuser management0

References

  • https://www.wordfence.com/threat-intel/vulnerabilities/id/4f1d0a07-254c-4df9-90a4-966dff014df0?source=cve
  • https://plugins.trac.wordpress.org/browser/user-management/tags/1.2/includes/model.php#L853
  • https://plugins.trac.wordpress.org/browser/user-management/tags/1.2/includes/model.php#L729
  • https://plugins.trac.wordpress.org/browser/user-management/tags/1.2/includes/model.php#L21
  • https://plugins.trac.wordpress.org/browser/user-management/tags/1.2/users-imp-exp-wpexperts.php#L22

Related News (1 articles)

Tier C
VulDB9d ago
CVE-2026-12097 | saadiqbal User Management Plugin up to 1.2 authorization
→ No new info (linked only)
CVSS 3.15.3 MEDIUM
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CISA KEV❌ No
Actively exploited✅ Yes
CWECWE-862
PublishedJul 8, 2026
Last enriched9d agov2
Trending Score12
Source articles1
Independent1
Info Completeness8/14
Missing: epss, kev, exploit, patch, iocs, mitre_attack

Community Vote

0
Login to vote
0 upvotes0 downvotes
No votes yet

Related CVEs (5)

CRITICALCVE-2026-63030EXPKEV
WordPress < 7.0.2 - REST API batch-route confusion and SQL injection issue leading to Remote Code Execution
Trending: 123
CRITICALCVE-2026-60137
WordPress < 7.0.2 - Facilitated SQL Injection via author__not_in in WP_Query
Trending: 44
HIGHCVE-2026-9700EXP
Eventer <= 4.4.2 - Unauthenticated SQL Injection via 'code' Parameter
Trending: 13
CRITICALCVE-2026-6382EXP
Multiple elFinder Plugins - Authenticated OS Command Injection
Trending: 9
HIGHCVE-2026-8441EXP
WP Review Slider Pro <= 12.7.2 - Unauthenticated SQL Injection via 'notinstring' Parameter
Trending: 6

Pin to Dashboard

Verification

State: unverified
Confidence: 0%

Vulnerability Timeline

CVE Published
Jul 8, 2026
Discovered by ZDM
Jul 8, 2026
Updated: severity, activelyExploited
Jul 8, 2026
Actively Exploited
Jul 8, 2026

Version History

v2
Last enriched 9d ago
v2Tier C9d ago

Updated severity to CRITICAL and noted that the vulnerability is actively exploited.

severityactivelyExploited
via VulDB
v19d ago

Initial creation