VYPR

User Meta

by WordPress

Source repositories

CVEs (6)

  • CVE-2025-9693HigSep 11, 2025
    risk 0.52cvss 8.0epss 0.01

    The User Meta – User Profile Builder and User management plugin plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the postInsertUserProcess function in all versions up to, and including, 3.1.2. This makes it possible for…

  • CVE-2025-47611HigMay 23, 2025
    risk 0.46cvss 7.1epss 0.00

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Khaled User Meta user-meta allows Reflected XSS.This issue affects User Meta: from n/a through <= 3.1.2.

  • CVE-2024-9262MedNov 9, 2024
    risk 0.42cvss 6.5epss 0.00

    The User Meta – User Profile Builder and User management plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.1.1 via the getUser() due to missing validation on a user controlled key. This makes it possible for…

  • CVE-2022-0779MedJun 8, 2022
    risk 0.42cvss 6.5epss 0.02

    The User Meta WordPress plugin before 2.4.4 does not validate the filepath parameter of its um_show_uploaded_file AJAX action, which could allow low privileged users such as subscriber to enumerate the local files on the web server via path traversal payloads

  • CVE-2024-33575MedApr 29, 2024
    risk 0.35cvss 5.3epss 0.01

    Exposure of Sensitive Information to an Unauthorized Actor vulnerability in User Meta user-meta.This issue affects User Meta: from n/a through 3.0.

  • CVE-2022-0376MedMay 30, 2022
    risk 0.31cvss 4.8epss 0.01

    The User Meta WordPress plugin before 2.4.3 does not sanitise and escape the Form Name, as well as Shared Field Labels before outputting them in the admin dashboard when editing a form, which could allow high privilege users to perform Cross-Site Scripting attacks even when…