{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5742", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-04-07T13:47:10.286Z", "datePublished": "2026-04-09T03:25:58.117Z", "dateUpdated": "2026-04-09T03:25:58.117Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-09T03:25:58.117Z"}, "affected": [{"vendor": "stiofansisland", "product": "UsersWP \u2013 Front-end login form, User Registration, User Profile & Members Directory plugin for WP", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.2.60", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The UsersWP plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 1.2.60. This is due to insufficient input sanitization of user-supplied URL fields and improper output escaping when rendering user profile data in badge widgets. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts that will execute whenever a user accesses a page containing the affected badge widget."}], "title": "UsersWP <= 1.2.60 - Authenticated (Subscriber+) Stored Cross-Site Scripting via User Badge Link Substitution", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bdb619c5-967c-4b8c-8a93-bcdb49137d56?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/userswp/trunk/vendor/ayecode/wp-ayecode-ui/includes/components/class-aui-component-button.php#L53"}, {"url": "https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.55/vendor/ayecode/wp-ayecode-ui/includes/components/class-aui-component-button.php#L53"}, {"url": "https://plugins.trac.wordpress.org/browser/userswp/trunk/includes/helpers/pages.php#L392-L540"}, {"url": "https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.55/includes/helpers/pages.php#L392-L540"}, {"url": "https://plugins.trac.wordpress.org/browser/userswp/trunk/includes/helpers/pages.php#L522-L527"}, {"url": "https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.55/includes/helpers/pages.php#L522-L527"}, {"url": "https://plugins.trac.wordpress.org/browser/userswp/trunk/includes/class-forms.php#L1963"}, {"url": "https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.55/includes/class-forms.php#L1963"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3501691%40userswp&new=3501691%40userswp&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Osvaldo Noe Gonzalez Del Rio"}], "timeline": [{"time": "2026-04-07T14:04:07.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-08T14:42:18.000Z", "lang": "en", "value": "Disclosed"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The UsersWP plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 1.2.60. This is due to insufficient input sanitization of user-supplied URL fields and improper output escaping when rendering user profile data in badge widgets. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts that will execute whenever a user accesses a page containing the affected badge widget."}], "id": "CVE-2026-5742", "lastModified": "2026-04-09T05:16:05.327", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-09T05:16:05.327", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.55/includes/class-forms.php#L1963"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.55/includes/helpers/pages.php#L392-L540"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.55/includes/helpers/pages.php#L522-L527"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.55/vendor/ayecode/wp-ayecode-ui/includes/components/class-aui-component-button.php#L53"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/userswp/trunk/includes/class-forms.php#L1963"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/userswp/trunk/includes/helpers/pages.php#L392-L540"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/userswp/trunk/includes/helpers/pages.php#L522-L527"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/userswp/trunk/vendor/ayecode/wp-ayecode-ui/includes/components/class-aui-component-button.php#L53"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3501691%40userswp&new=3501691%40userswp&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bdb619c5-967c-4b8c-8a93-bcdb49137d56?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.2.60]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "UsersWP \u2013 Front-end login form, User Registration, User Profile & Members Directory plugin for WP", "source": "cna", "vendor": "stiofansisland"}, "product": "userswp_\u2013_front-end_login_form,_user_registration,_user_profile_&_members_directory_plugin_for_wp", "vendor": "stiofansisland"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-09T05:21:29.342945+00:00", "value": {"mitigation_remediation": ["Upgrade UsersWP plugin to a version newer than 1.2.60.", "If an upgrade is not possible, deactivate or delete the plugin entirely.", "Inspect existing badge widgets for injected URLs and remove or sanitize them.", "Limit subscriber\u2011level permissions or remove unnecessary subscriber accounts to reduce attack surface.", "Continuously monitor site logs and user activity for signs of XSS exploitation."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "WordPress Sites running the UsersWP plugin from any author under the stiofansisland namespace, specifically versions 1.2.60 and earlier. The vulnerability affects the front\u2011end login form, user registration, profile, and members directory components that render badge widgets.", "description_and_impact": "The UsersWP plugin stores user\u2011supplied URLs in badge widgets without sufficient sanitization and then outputs them without proper escaping. This allows an authenticated attacker with subscriber\u2013level access or higher to inject arbitrary scripts. When another user views a page displaying the affected badge widget, the injected script executes in that user\u2019s browser, potentially stealing session cookies or performing other malicious actions. The vulnerability provides a moderate level of risk, as it can impact confidentiality and integrity of user sessions and may be used for defacement.", "risk_and_exploitability": "The CVSS score of 6.4 indicates moderate severity. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog. Attackers must first authenticate to the site with a subscriber or higher role. Once authenticated, they can submit a malicious URL into the badge widget; the stored payload then reflects to any visitor of the page containing that widget, enabling cross\u2011site scripting. The attack path is straightforward and does not require additional privileges beyond the subscriber role, making exploitation feasible for sites with open or publicly exposed subscriber accounts."}}}}, "created": "2026-04-09T08:15:37.022217+00:00", "updated": "2026-04-09T08:25:03.549542+00:00", "vendors": ["stiofansisland", "stiofansisland$PRODUCT$userswp_\u2013_front-end_login_form,_user_registration,_user_profile_&_members_directory_plugin_for_wp", "wordpress", "wordpress$PRODUCT$wordpress"]}