UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP

Vulnerabilities 21Slug userswpLatest version 1.2.62WordPress.org →

Minimum safe version

1.2.61

Update to 1.2.61 or later to address 21 fixable vulnerabilities

Latest available1.2.62
Medium 5.0
2026-04-11< 1.2.59

UsersWP <= 1.2.58 - Authenticated (Subscriber+) Server-Side Request Forgery via 'uwp_crop' Parameter

EUVDWordfenceCVE
N/A
2026-04-08< 1.2.61

UsersWP <= 1.2.60 - Authenticated (Subscriber+) Stored Cross-Site Scripting via User Badge Link Substitution

WordfenceCVE
N/A
2026-04-09< 1.2.59

UsersWP <= 1.2.58 - Authenticated (Subscriber+) Restricted Usermeta Modification via 'htmlvar' Parameter

WordfenceCVE
Medium 4.3
2025-12-15< 1.2.49

UsersWP <= 1.2.48 - Cross-Site Request Forgery

WordfenceCVE
Medium 5.3
2025-11-25< 1.2.48

UsersWP <= 1.2.47 - Missing Authorization

WordfenceCVEEUVD
Medium 6.4
2025-08-28< 1.2.43

WordPress UsersWP Plugin <= 1.2.42 is vulnerable to Cross Site Scripting (XSS)

EUVDPatchstackWordfenceCVE
High 7.5
2024-08-05< 1.2.12

WordPress UsersWP Plugin < 1.2.12 is vulnerable to Sensitive Data Exposure

PatchstackCVEWordfence
Critical 9.8
2024-07-01< 1.2.11

WordPress UsersWP Plugin <= 1.2.10 is vulnerable to SQL Injection

PatchstackCVEWordfence
N/A
< 1.2.3.23

UsersWP &lt; 1.2.3.23 - Profile Picture Deletion via CSRF

WPScan
N/A
2023-11-01< 1.2.3.23

UsersWP <= 1.2.3.22 - Cross-Site Request Forgery

Wordfence
N/A
2022-12-21< 1.2.3.10

UsersWP <= 1.2.3.9 - Authenticated (Administrator+) CSV Injection

Wordfence
N/A
2022-12-23< 1.2.3.10

WordPress UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress Plugin <= 1.2.3.9 is vulnerable to CSV Injection

Patchstack
N/A
2021-09-06< 1.2.2.29

UsersWP – User Registration & User Profile <= 1.2.2.28 - Reflected Cross-Site Scripting

Wordfence
N/A
< 1.2.2.29

wpscan.com

WPScan