The UsersWP WordPress plugin before 1.2.3.1 is missing access controls when updating a user avatar, and does not make sure file names for user avatars are unique, allowing a logged in user to overwrite another users avatar.
4.3CVSS
4.5AI Score
0.001EPSS
Improper Neutralization of Formula Elements in a CSV File vulnerability in AyeCode Ltd UsersWP.This issue affects UsersWP: from n/a through 1.2.3.9.
8.8CVSS
8.6AI Score
0.001EPSS
The UsersWP β Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress plugin for WordPress is vulnerable to time-based SQL Injection via the βuwp_sort_byβ parameter in all versions up to, and including, 1.2.10 due to insufficient escaping on the user supplied ...
9.8CVSS
9.7AI Score
0.001EPSS
The UsersWP WordPress plugin before 1.2.12 uses predictable filenames when an admin generates an export, which could allow unauthenticated attackers to download them and retrieve sensitive information such as IP, username, and email address
7.5CVSS
6.3AI Score
0.0004EPSS