Flawed authorization logic in the plugin's AJAX endpoint allows unauthenticated attackers to update arbitrary user metadata for any account on the site. Nonce protection is ineffective because nonces are publicly exposed to all visitors. Attackers can modify administrative account credentials to gain full site access.
Remediation
Update the Users Manager – PN plugin to a version after 1.1.15 that fixes the authorization flaw. If no patch is released, remove the plugin from your WordPress installation to eliminate the risk.
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.