Threat Entry Updated 2026-04-13

CVE-2026-4979 - Members Directory Plugin For Wp

The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP plugin for WordPress is vulnerable to blind Server-Side Request Forgery in all versions up to, and including, 1.2.58. This is due to insufficient URL origin validation in the process_image_crop() method when processing avatar/banner image crop operations. The function accepts a user-controlled URL via the uwp_crop POST parameter and only validates it using esc_url() for sanitization and wp_check_filetype() for extension verification, without enforcing that the URL references a local uploads file. The URL is then…

PLUGIN Members Directory Plugin For Wp

CVE-2026-4979

MEDIUM CVSS 5.0 2026-04-11

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-08-29

CVE-2025-9344 - Members Directory Plugin For Wp

The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'uwp_profile' and 'uwp_profile_header' shortcodes in all versions up to, and including, 1.2.42 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Members Directory Plugin For Wp

CVE-2025-9344

MEDIUM CVSS 6.4 2025-08-28

Risk Score

Open Full Technical Breakdown