CVE-2026-57676
MediumCVSS 4.3Exploitation Probability (EPSS)
Low risk8th percentile — higher than 8% of all known CVEs
Summary
The Simple User Avatar plugin for WordPress contains an authorization bypass vulnerability through a user-controlled key. This allows exploiting incorrectly configured access control security levels.
Risk Assessment
An attacker can gain unauthorized access to functions or data they should not have permissions for, potentially leading to confidentiality and integrity breaches.
Recommendation
Immediately update the Simple User Avatar plugin to the latest available version that fixes this vulnerability. If no update is available, consider temporarily disabling the plugin.
Original NVD description (English source)
Authorization Bypass Through User-Controlled Key vulnerability in Matteo Manna Simple User Avatar allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Simple User Avatar: from n/a through 4.9.

