CVE-2026-4977

UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress versions up to and including 1.2.58

The plugin is susceptible to Improper Access Control due to insufficient field-level permission validation within the upload file remove() AJAX handler. The $htmlvar parameter is not validated against a whitelist of allowed fields or checked against the field's for admin use property. This allows authenticated attackers with subscriber-level access or higher to modify restricted usermeta columns for their own user account, bypassing intended access restrictions.

Update to a version beyond 1.2.58.