CVE-2026-4979

Name of the Vulnerable Software and Affected Versions UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress versions through 1.2.58

Description The UsersWP plugin for WordPress is susceptible to a blind Server-Side Request Forgery (SSRF). This is caused by inadequate URL origin validation within the process image crop() method during avatar/banner image crop operations. The function accepts a user-controlled URL via the uwp crop POST parameter and relies on esc url() for sanitization and wp check filetype() for extension verification, without ensuring the URL points to a local uploads file. The URL is then used in PHP image processing functions that support URL wrappers, allowing the WordPress server to make arbitrary HTTP requests to attacker-controlled or internal network destinations. This could enable internal network scanning and access to sensitive services for authenticated attackers with subscriber-level access or higher.

Recommendations Update the UsersWP plugin to a version later than 1.2.58.