Lucene search
K

79 matches found

NVD
NVD
added 5 days ago6 views

CVE-2026-13492

The UsersWP plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to, and including, 1.2.65. This is due to insufficient validation of file-field values in the UsersWPValidation::validatefields function which falls through to sanitizetextfield for fields of type 'file',...

8.8CVSS0.00525EPSS
Exploits0References8
Cvelist
Cvelist
added 5 days ago29 views

CVE-2026-13492 UsersWP <= 1.2.65 - Authenticated (Subscriber+) Arbitrary File Deletion via File Upload Field

The UsersWP plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to, and including, 1.2.65. This is due to insufficient validation of file-field values in the UsersWPValidation::validatefields function which falls through to sanitizetextfield for fields of type 'file',...

8.8CVSS0.00525EPSS
Exploits0References8
EUVD
EUVD
added 5 days ago6 views

EUVD-2026-42686

The UsersWP plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to, and including, 1.2.65. This is due to insufficient validation of file-field values in the UsersWPValidation::validatefields function which falls through to sanitizetextfield for fields of type 'file',...

8.8CVSS6AI score0.00525EPSS
Exploits0References8
CVE
CVE
added 5 days ago10 views

CVE-2026-13492

The CVE-2026-13492 entry concerns the WordPress UsersWP plugin (affected versions up to and including 1.2.65). The vulnerability arises from insufficient validation of file-field values in UsersWP_Validation::validate_fields(), which falls through to sanitize_text_field() for fields of type 'file...

8.8CVSS6AI score0.00525EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 5 days ago6 views

PT-2026-56916

Name of the Vulnerable Software and Affected Versions UsersWP versions prior to 1.2.66 Description Authenticated attackers with Subscriber-level access and above can delete arbitrary files on the server, including the wp-config.php file. This occurs because the validate fields function in UsersWP...

8.8CVSS6.2AI score0.00525EPSS
Exploits0References10
NVD
NVD
added 2026/06/18 8:16 a.m.11 views

CVE-2026-12102

The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.63 via the 'userid' parameter due to missing validation on a user controlled key...

2.7CVSS0.0028EPSS
Exploits0References12
ATTACKERKB
ATTACKERKB
added 2026/06/18 6:50 a.m.7 views

CVE-2026-12102

The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.63 via the 'userid' parameter due to missing validation on a user controlled key...

2.7CVSS5.4AI score0.0028EPSS
Exploits0References13
EUVD
EUVD
added 2026/06/18 6:50 a.m.10 views

EUVD-2026-37860

The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.63 via the 'userid' parameter due to missing validation on a user controlled key...

2.7CVSS5.4AI score0.0028EPSS
Exploits0References12
CVE
CVE
added 2026/06/18 6:50 a.m.22 views

CVE-2026-12102

Affected software: WordPress plugin UsersWP (Front-end login, registration, profile, members directory) up to version 1.2.63. Vulnerability: Insecure Direct Object Reference via the user_id parameter due to missing validation on a user-controlled key in uwp_usermeta, enabling an authenticated att...

2.7CVSS5.5AI score0.0028EPSS
Exploits0References12
RedhatCVE
RedhatCVE
added 2026/06/05 7:35 p.m.12 views

CVE-2026-5742

The UsersWP plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 1.2.60. This is due to insufficient input sanitization of user-supplied URL fields and improper output escaping when rendering user profile data in badge widgets. This makes it possible f...

6.4CVSS5.6AI score0.00234EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/04/13 7:24 p.m.5 views

CVE-2026-4979

The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP plugin for WordPress is vulnerable to blind Server-Side Request Forgery in all versions up to, and including, 1.2.58. This is due to insufficient URL origin validation in the processimagecrop...

5CVSS5.9AI score0.00356EPSS
Exploits0References1
Patchstack
Patchstack
added 2026/04/13 9:23 a.m.7 views

WordPress UsersWP plugin <= 1.2.60 - Authenticated (Subscriber+) Stored Cross-Site Scripting via User Badge Link Substitution vulnerability

Authenticated Subscriber+ Stored Cross-Site Scripting via User Badge Link Substitution vulnerability discovered by Osvaldo Noe Gonzalez Del Rio Os - krei.dev | ogbuilders.io in WordPress Plugin UsersWP versions = 1.2.60...

6.4CVSS5.8AI score0.00234EPSS
Exploits0References1Affected Software1
NVD
NVD
added 2026/04/11 2:16 a.m.6 views

CVE-2026-4979

The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP plugin for WordPress is vulnerable to blind Server-Side Request Forgery in all versions up to, and including, 1.2.58. This is due to insufficient URL origin validation in the processimagecrop...

5CVSS0.00356EPSS
Exploits0References6
Cvelist
Cvelist
added 2026/04/11 1:25 a.m.30 views

CVE-2026-4979 UsersWP <= 1.2.58 - Authenticated (Subscriber+) Server-Side Request Forgery via 'uwp_crop' Parameter

The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP plugin for WordPress is vulnerable to blind Server-Side Request Forgery in all versions up to, and including, 1.2.58. This is due to insufficient URL origin validation in the processimagecrop...

5CVSS0.00356EPSS
Exploits0References6
ATTACKERKB
ATTACKERKB
added 2026/04/11 1:25 a.m.8 views

CVE-2026-4979

The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP plugin for WordPress is vulnerable to blind Server-Side Request Forgery in all versions up to, and including, 1.2.58. This is due to insufficient URL origin validation in the processimagecrop...

5CVSS5.9AI score0.00356EPSS
Exploits0References7
EUVD
EUVD
added 2026/04/11 1:25 a.m.4 views

EUVD-2026-21649

The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP plugin for WordPress is vulnerable to blind Server-Side Request Forgery in all versions up to, and including, 1.2.58. This is due to insufficient URL origin validation in the processimagecrop...

5CVSS5.9AI score0.00356EPSS
Exploits0References6
EUVD
EUVD
added 2026/04/10 3:31 a.m.4 views

EUVD-2026-21266

The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress is vulnerable to Improper Access Control in all versions up to, and including, 1.2.58 This is due to insufficient field-level permission validation in the uploadfileremove AJAX handler whe...

4.3CVSS5.9AI score0.00297EPSS
Exploits0References9
NVD
NVD
added 2026/04/10 2:16 a.m.10 views

CVE-2026-4977

The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress is vulnerable to Improper Access Control in all versions up to, and including, 1.2.58 This is due to insufficient field-level permission validation in the uploadfileremove AJAX handler whe...

4.3CVSS0.00297EPSS
Exploits0References8
Cvelist
Cvelist
added 2026/04/10 1:25 a.m.29 views

CVE-2026-4977 UsersWP <= 1.2.58 - Authenticated (Subscriber+) Restricted Usermeta Modification via 'htmlvar' Parameter

The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress is vulnerable to Improper Access Control in all versions up to, and including, 1.2.58 This is due to insufficient field-level permission validation in the uploadfileremove AJAX handler whe...

4.3CVSS0.00297EPSS
Exploits0References8
Patchstack
Patchstack
added 2026/04/10 12:10 a.m.7 views

WordPress UsersWP plugin <= 1.2.58 - Authenticated (Subscriber+) Restricted Usermeta Modification via 'htmlvar' Parameter vulnerability

Authenticated Subscriber+ Restricted Usermeta Modification via 'htmlvar' Parameter vulnerability discovered by nquangit - Techlab Corporation in WordPress Plugin UsersWP versions = 1.2.58...

4.3CVSS5.9AI score0.00297EPSS
Exploits0References1Affected Software1
Rows per page
Query Builder