Blind Server-Side Request Forgery in UsersWP Plugin for WordPress
CVE-2026-4979

5MEDIUM

Key Information:

Vendor: WordPress
Status: UsersWP – Front-end Login Form, User Registration, User Profile & Members Directory Plugin For WP
Vendor: CVE Published:; 11 April 2026

What is CVE-2026-4979?

The UsersWP plugin for WordPress, which facilitates front-end login, user registration, and member directory functionalities, is susceptible to a vulnerability that allows authenticated users to exploit blind server-side request forgery. This issue originates from inadequate validation of URL origins in the process_image_crop() method, affecting all versions up to and including 1.2.58. An attacker can inject a user-controlled URL through the uwp_crop POST parameter, bypassing necessary verification checks for local uploads. As a result, the WordPress server may be coerced into executing arbitrary HTTP requests, potentially leading to internal network scanning and unauthorized access to sensitive services.

Affected Version(s)

UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP 0 <= 1.2.58

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/userswp/trunk/...

CVSS V3.1

Score:

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 11, 2026
Vulnerability Reserved
Mar 27, 2026

Credit

Mariusz Maik

CVE-2026-4979 Data

JSON