{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3139", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-24T17:41:54.927Z", "datePublished": "2026-03-31T11:18:56.130Z", "dateUpdated": "2026-03-31T15:40:10.227Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-31T11:18:56.130Z"}, "affected": [{"vendor": "cozmoslabs", "product": "User Profile Builder \u2013 Beautiful User Registration Forms, User Profiles & User Role Editor", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "3.15.5", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The User Profile Builder \u2013 Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.15.5 via the wppb_save_avatar_value() function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to reassign ownership of arbitrary posts and attachments by changing 'post_author'."}], "title": "User Profile Builder \u2013 Beautiful User Registration Forms, User Profiles & User Role Editor <= 3.15.5 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Post Author Reassignment via Avatar Field", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/760f7736-db49-4210-a2f3-3abb506106d7?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3481772/profile-builder"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "cweId": "CWE-639", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "M Indra Purnama"}], "timeline": [{"time": "2026-02-24T17:57:47.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-30T21:39:25.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-31T15:39:36.557641Z", "id": "CVE-2026-3139", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T15:40:10.227Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3139", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-31T15:39:36.557641Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T15:39:43.494Z"}}], "cna": {"title": "User Profile Builder \u2013 Beautiful User Registration Forms, User Profiles & User Role Editor <= 3.15.5 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Post Author Reassignment via Avatar Field", "credits": [{"lang": "en", "type": "finder", "value": "M Indra Purnama"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "cozmoslabs", "product": "User Profile Builder \u2013 Beautiful User Registration Forms, User Profiles & User Role Editor", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "3.15.5"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-24T17:57:47.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-03-30T21:39:25.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/760f7736-db49-4210-a2f3-3abb506106d7?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3481772/profile-builder"}], "descriptions": [{"lang": "en", "value": "The User Profile Builder \u2013 Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.15.5 via the wppb_save_avatar_value() function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to reassign ownership of arbitrary posts and attachments by changing 'post_author'."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-31T11:18:56.130Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3139", "state": "PUBLISHED", "dateUpdated": "2026-03-31T15:40:10.227Z", "dateReserved": "2026-02-24T17:41:54.927Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-31T11:18:56.130Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The User Profile Builder \u2013 Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.15.5 via the wppb_save_avatar_value() function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to reassign ownership of arbitrary posts and attachments by changing 'post_author'."}], "id": "CVE-2026-3139", "lastModified": "2026-03-31T12:16:31.037", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-03-31T12:16:31.037", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3481772/profile-builder"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/760f7736-db49-4210-a2f3-3abb506106d7?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.15.5]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "User Profile Builder \u2013 Beautiful User Registration Forms, User Profiles & User Role Editor", "source": "cna", "vendor": "cozmoslabs"}, "product": "user_profile_builder_\u2013_beautiful_user_registration_forms,_user_profiles_&_user_role_editor", "vendor": "cozmoslabs"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-31T12:22:02.507167+00:00", "value": {"mitigation_remediation": ["Upgrade the User Profile Builder plugin to the latest version (\u22653.15.6).", "Limit subscriber permissions so that avatar uploads cannot modify post_author values, or disable avatar uploads for non-admin roles.", "Verify that the post_author field cannot be altered by non-privileged users in the plugin configuration.", "Monitor site logs for unexpected changes to post_author values and investigate any anomalies."], "summary": {"action": "Patch", "impact": "Post Ownership Escalation"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the User Profile Builder \u2013 Beautiful User Registration Forms, User Profiles & User Role Editor plugin from Cozmos Labs. All releases up to and including version\u00a03.15.5 are impacted. The plugin is distributed as a WordPress plugin.", "description_and_impact": "The User Profile Builder plugin for WordPress is vulnerable to an Insecure Direct Object Reference that allows an authenticated account with subscriber-level or higher privileges to change the post_author attribute of any post or attachment by submitting a crafted avatar value. This flaw enables the attacker to reassign ownership of arbitrary content, effectively escalating privileges within the site and compromising the integrity of posts and media.", "risk_and_exploitability": "The CVSS score of\u00a04.3 indicates a moderate severity. Because the flaw is exploitable only by logged\u2011in users with subscriber access or higher, the surface is larger than an unmapped vulnerability but still requires authenticated credentials. No EPSS data is available and the vulnerability is not listed in the CISA KEV catalog. Attackers would need to make a request to the avatar upload flow, supplying a malicious post_author value; no arbitrary code execution is possible. The risk is practical for sites with many subscribers who can potentially hijack content."}}}}, "created": "2026-03-31T19:54:58.357588+00:00", "updated": "2026-03-31T20:38:52.312784+00:00", "vendors": ["cozmoslabs", "cozmoslabs$PRODUCT$user_profile_builder_\u2013_beautiful_user_registration_forms,_user_profiles_&_user_role_editor", "wordpress", "wordpress$PRODUCT$wordpress"]}