UsersWP <= 1.2.63 - Insecure Direct Object Reference to Authenticated (Editor+) Arbitrary User Avatar/Banner Reset via 'user_id' Parameter

An authenticated attacker with editor-level access or above can craft a POST request to the image reset handler (`uwp_avatar_reset` or `uwp_banner_reset`) while including a `user_id` query parameter pointing to any target user, including administrators. The vulnerable code in `process_image_reset()` [ref_id=1] only checked that `user_id` was numeric and non-empty, without verifying the attacker's capability to manage that user. This Insecure Direct Object Reference (IDOR) allows the attacker to clear the `avatar_thumb` or `banner_thumb` metadata in the `uwp_usermeta` table, permanently deleting the target's profile image or banner.

The vulnerability resides in `includes/class-forms.php` within the `process_image_reset()` method. In versions up to 1.2.63, the method allowed any authenticated user with editor-level access to supply a `user_id` parameter without proper capability checks, enabling them to reset the avatar or banner of arbitrary users. The patch also adds a similar fix to `includes/class-profile.php` in the `crop_submit_form()` method to restrict user targeting during image cropping operations.

The patch [patch_id=6466788] adds a `current_user_can( 'manage_options' )` capability check to the branch that reads `$_GET['user_id']` in `process_image_reset()`, restricting the ability to target another user's images to administrators only. Additionally, the nonce verification was strengthened by binding the nonce to the specific `$user_id` (`uwp_reset_nonce_' . $type . '_' . $user_id`) instead of just the image type, preventing cross-user nonce reuse. A parallel capability check was also added to `crop_submit_form()` in `class-profile.php` to prevent similar IDOR during image cropping.