🔎 Have you found a vulnerability in a WordPress plugin or theme? Report vulnerabilities in WordPress plugins and themes through our bug bounty program and earn a bounty on all in-scope submissions, while we handle the responsible disclosure process on your behalf.

UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP

Wordfence Intelligence > Vulnerability Database > WordPress Plugins > UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP

Information

Software Type	Plugin
Software Slug	userswp (view on wordpress.org)
Software Status	Active
Software Author	stiofansisland
Software Website	userswp.io
Software Downloads	752,777
Software Active Installs	20,000
Software Record Last Updated	July 26, 2024

7 Vulnerabilities

UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress <= 1.2.10 - Unauthenticated SQL Injection via 'uwp_sort_by'

9.8

CVE-2024-6265

Jun 28, 2024

Researcher: Trương Hữu Phúc (truonghuuphuc)

UsersWP <= 1.2.4 - Cross-Site Request Forgery

4.3

CVE-2024-31936

Apr 10, 2024

Researcher: Brandon James Roldan (tomorrowisnew)

UsersWP <= 1.2.6 - Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVE-2024-2423

Mar 14, 2024

Researcher: Krzysztof Zając

UsersWP <= 1.2.3.22 - Cross-Site Request Forgery

4.3

CVE ID Unknown

Nov 1, 2023

Researchers:

UsersWP <= 1.2.3.9 - Authenticated (Administrator+) CSV Injection

5.5

CVE-2022-47442

Dec 21, 2022

Researcher: Justiice

UsersWP <= 1.2.3 - Subscriber+ User Avatar Override

4.3

CVE-2022-0442

Feb 14, 2022

Researcher: Felipe de Avila

UsersWP – User Registration & User Profile <= 1.2.2.28 - Reflected Cross-Site Scripting

6.1

CVE ID Unknown

Sep 6, 2021

Researcher: WPScanTeam

Title	Status	CVE ID	CVSS	Researchers	Date
UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress <= 1.2.10 - Unauthenticated SQL Injection via 'uwp_sort_by'	Patched	CVE-2024-6265	9.8	Trương Hữu Phúc (truonghuuphuc)	June 28, 2024
UsersWP <= 1.2.4 - Cross-Site Request Forgery	Patched	CVE-2024-31936	4.3	Brandon James Roldan (tomorrowisnew)	April 10, 2024
UsersWP <= 1.2.6 - Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode	Patched	CVE-2024-2423	6.4	Krzysztof Zając	March 14, 2024
UsersWP <= 1.2.3.22 - Cross-Site Request Forgery	Patched		4.3		November 1, 2023
UsersWP <= 1.2.3.9 - Authenticated (Administrator+) CSV Injection	Patched	CVE-2022-47442	5.5	Justiice	December 21, 2022
UsersWP <= 1.2.3 - Subscriber+ User Avatar Override	Patched	CVE-2022-0442	4.3	Felipe de Avila	February 14, 2022
UsersWP – User Registration & User Profile <= 1.2.2.28 - Reflected Cross-Site Scripting	Patched		6.1	WPScanTeam	September 6, 2021

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation