Improper Access Control Vulnerability in UsersWP Plugin for WordPress
CVE-2026-4977

4.3MEDIUM

Key Information:

Vendor

WordPress
Status
UsersWP – Front-end Login Form, User Registration, User Profile & Members Directory Plugin For WP
Vendor
CVE Published:
10 April 2026

What is CVE-2026-4977?

The UsersWP plugin for WordPress suffers from an Improper Access Control vulnerability, impacting all versions up to and including 1.2.58. This flaw arises from inadequate field-level permission validation within the upload_file_remove() AJAX handler, specifically where the $htmlvar parameter lacks validation against a whitelist of permissible fields. As a result, authenticated attackers with subscriber-level access can manipulate restricted user meta columns, including those designated for admin use only. This circumvention of access controls jeopardizes user data and site integrity.

Affected Version(s)

UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP 0 <= 1.2.58

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/userswp/trunk/...
https://plugins.trac.wordpress.org/browser/userswp/tags/1...

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Quang Huynh Ngoc
.