CVE-2025-49980: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability (CVE-2025-49980) was discovered in WP Event Manager WP User Profile Avatar plugin versions through 1.0.6. The vulnerability was identified on June 19, 2025, and publicly disclosed on June 20, 2025. This security issue affects the access control security levels in the WordPress plugin (Patchstack, NVD).

The vulnerability is classified as a Broken Access Control issue (CWE-862) with a CVSS v3.1 base score of 4.3 (Medium). The security flaw stems from missing authorization, authentication, or nonce token checks in certain functions, potentially allowing unprivileged users to execute higher privileged actions. The vulnerability requires a Subscriber level privilege to exploit (Patchstack).

The vulnerability has been assessed as having a low severity impact and is considered unlikely to be exploited. The main concern relates to broken access control, which could potentially allow unauthorized users to perform actions beyond their intended privilege level (Patchstack).

As of the disclosure date, no official fix is available for this vulnerability. The issue affects versions up to and including 1.0.6 of the WP User Profile Avatar plugin (Patchstack).

The vulnerability was initially reported by security researcher s1lentmt on May 1, 2025, and was subsequently published by Patchstack on June 19, 2025 (Patchstack).