Name of the Vulnerable Software and Affected Versions:

UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress versions through 1.2.44

Description:

The UsersWP plugin for WordPress is susceptible to a time-based SQL Injection issue due to insufficient escaping of user-supplied parameters and inadequate preparation of existing SQL queries. This allows unauthenticated attackers to append additional SQL queries, potentially extracting sensitive information from the database via the `upload file remove` function and the `htmlvar` parameter.

Recommendations:

Update to version 1.2.45.