wpusermanager CVE Vulnerabilities & Metrics

Focus on wpusermanager vulnerabilities and metrics.

Last updated: 08 Mar 2025, 23:25 UTC

About wpusermanager Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with wpusermanager. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total wpusermanager CVEs: 4
Earliest CVE date: 17 Jul 2022, 11:15 UTC
Latest CVE date: 23 Nov 2024, 04:15 UTC

Latest CVE reference: CVE-2024-10537

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 3

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): 0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical wpusermanager CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 1.5

Max CVSS: 6.0

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	3
4.0-6.9	1
7.0-8.9	0
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS wpusermanager CVEs

These are the five CVEs with the highest CVSS scores for wpusermanager, sorted by severity first and recency.

CVE-2021-24655 wpusermanager Published on 17 Jul 2022, 11:15 UTC (CVSS: 6.0)
The WP User Manager WordPress plugin before 2.6.3 does not ensure that the user ID to reset the password of is related to the reset key given. As a result, any authenticated user can reset the password (to an arbitrary value) of any user knowing only their ID, and gain access to their account.
CVE-2024-10537 wpusermanager Published on 23 Nov 2024, 04:15 UTC (CVSS: 0)
The WP User Manager – User Profile Builder & Membership plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the validate_user_meta_key() function in all versions up to, and including, 2.9.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enumerate user meta keys.
CVE-2024-10216 wpusermanager Published on 23 Nov 2024, 04:15 UTC (CVSS: 0)
The WP User Manager – User Profile Builder & Membership plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'add_sidebar' and 'remove_sidebar' functions in all versions up to, and including, 2.9.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to add or remove a Carbon Fields custom sideb...
CVE-2024-43336 wpusermanager Published on 26 Aug 2024, 21:15 UTC (CVSS: 0)
Cross-Site Request Forgery (CSRF) vulnerability in WP User Manager.This issue affects WP User Manager: from n/a through 2.9.10.

All CVEs for wpusermanager

CVE-2024-10537 wpusermanager vulnerability CVSS: 0 23 Nov 2024, 04:15 UTC

The WP User Manager – User Profile Builder & Membership plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the validate_user_meta_key() function in all versions up to, and including, 2.9.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enumerate user meta keys.

CVE-2024-10216 wpusermanager vulnerability CVSS: 0 23 Nov 2024, 04:15 UTC

The WP User Manager – User Profile Builder & Membership plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'add_sidebar' and 'remove_sidebar' functions in all versions up to, and including, 2.9.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to add or remove a Carbon Fields custom sidebar if the Carbon Fields (carbon-fields) plugin is installed.

CVE-2024-43336 wpusermanager vulnerability CVSS: 0 26 Aug 2024, 21:15 UTC

Cross-Site Request Forgery (CSRF) vulnerability in WP User Manager.This issue affects WP User Manager: from n/a through 2.9.10.

CVE-2021-24655 wpusermanager vulnerability CVSS: 6.0 17 Jul 2022, 11:15 UTC

The WP User Manager WordPress plugin before 2.6.3 does not ensure that the user ID to reset the password of is related to the reset key given. As a result, any authenticated user can reset the password (to an arbitrary value) of any user knowing only their ID, and gain access to their account.