CVE-2026-5742 - Vulnerability Details

- UsersWP <= 1.2.60 - Authenticated (Subscriber+) Stored Cross-Site Scripting via User Badge Link Substitution

Description

The UsersWP plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 1.2.60. This is due to insufficient input sanitization of user-supplied URL fields and improper output escaping when rendering user profile data in badge widgets. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts that will execute whenever a user accesses a page containing the affected badge widget.

Published: 2026-04-09

Score: 6.4 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The UsersWP plugin stores user‑supplied URLs in badge widgets without sufficient sanitization and then outputs them without proper escaping. This allows an authenticated attacker with subscriber–level access or higher to inject arbitrary scripts. When another user views a page displaying the affected badge widget, the injected script executes in that user’s browser, potentially stealing session cookies or performing other malicious actions. The vulnerability provides a moderate level of risk, as it can impact confidentiality and integrity of user sessions and may be used for defacement.

Affected Systems

WordPress Sites running the UsersWP plugin from any author under the stiofansisland namespace, specifically versions 1.2.60 and earlier. The vulnerability affects the front‑end login form, user registration, profile, and members directory components that render badge widgets.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate severity. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog. Attackers must first authenticate to the site with a subscriber or higher role. Once authenticated, they can submit a malicious URL into the badge widget; the stored payload then reflects to any visitor of the page containing that widget, enabling cross‑site scripting. The attack path is straightforward and does not require additional privileges beyond the subscriber role, making exploitation feasible for sites with open or publicly exposed subscriber accounts.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

stiofansisland

UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.2.60

No data.

Vendor Product Confidence Versions

Stiofansisland

Userswp – Front-end Login Form, User Registration, User Profile & Members Directory Plugin For Wp

100%

Version	Status	Scheme	Platform
`[0,1.2.60]`	affected	semver	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade UsersWP plugin to a version newer than 1.2.60.
If an upgrade is not possible, deactivate or delete the plugin entirely.
Inspect existing badge widgets for injected URLs and remove or sanitize them.
Limit subscriber‑level permissions or remove unnecessary subscriber accounts to reduce attack surface.
Continuously monitor site logs and user activity for signs of XSS exploitation.

Generated by OpenCVE AI on April 9, 2026 at 05:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.55/includes/class-forms.php#L1963
https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.55/includes/helpers/pages.php#L392-L540
https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.55/includes/helpers/pages.php#L522-L527
https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.55/vendor/ayecode/wp-ayecode-ui/includes/components/class-aui-component-button.php#L53
https://plugins.trac.wordpress.org/browser/userswp/trunk/includes/class-forms.php#L1963
https://plugins.trac.wordpress.org/browser/userswp/trunk/includes/helpers/pages.php#L392-L540
https://plugins.trac.wordpress.org/browser/userswp/trunk/includes/helpers/pages.php#L522-L527
https://plugins.trac.wordpress.org/browser/userswp/trunk/vendor/ayecode/wp-ayecode-ui/includes/components/class-aui-component-button.php#L53
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3501691%40userswp&new=3501691%40userswp&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/bdb619c5-967c-4b8c-8a93-bcdb49137d56?source=cve

History

Thu, 09 Apr 2026 08:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Stiofansisland Stiofansisland userswp – Front-end Login Form, User Registration, User Profile & Members Directory Plugin For Wp Wordpress Wordpress wordpress
Vendors & Products		Stiofansisland Stiofansisland userswp – Front-end Login Form, User Registration, User Profile & Members Directory Plugin For Wp Wordpress Wordpress wordpress

Thu, 09 Apr 2026 04:30:00 +0000

Type	Values Removed	Values Added
Description		The UsersWP plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 1.2.60. This is due to insufficient input sanitization of user-supplied URL fields and improper output escaping when rendering user profile data in badge widgets. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts that will execute whenever a user accesses a page containing the affected badge widget.
Title		UsersWP <= 1.2.60 - Authenticated (Subscriber+) Stored Cross-Site Scripting via User Badge Link Substitution
Weaknesses		CWE-79
References		https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.55/includes/class-forms.php#L1963 https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.55/includes/helpers/pages.php#L392-L540 https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.55/includes/helpers/pages.php#L522-L527 https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.55/vendor/ayecode/wp-ayecode-ui/includes/components/class-aui-component-button.php#L53 https://plugins.trac.wordpress.org/browser/userswp/trunk/includes/class-forms.php#L1963 https://plugins.trac.wordpress.org/browser/userswp/trunk/includes/helpers/pages.php#L392-L540 https://plugins.trac.wordpress.org/browser/userswp/trunk/includes/helpers/pages.php#L522-L527 https://plugins.trac.wordpress.org/browser/userswp/trunk/vendor/ayecode/wp-ayecode-ui/includes/components/class-aui-component-button.php#L53 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3501691%40userswp&new=3501691%40userswp&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/bdb619c5-967c-4b8c-8a93-bcdb49137d56?source=cve
Metrics		cvssV3_1 `{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}`

Subscriptions

Stiofansisland Userswp – Front-end Login Form, User Registration, User Profile & Members Directory Plugin For Wp

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-04-09T03:25:58.117Z

Updated: 2026-04-09T03:25:58.117Z

Reserved: 2026-04-07T13:47:10.286Z

Link: CVE-2026-5742

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-09T05:16:05.327

Modified: 2026-04-09T05:16:05.327

Link: CVE-2026-5742

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-09T08:25:03Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object