🦸 💥 Calling all superheroes and hunters! Introducing the End of Year Holiday Extravaganza and the WordPress Superhero Challenge for the Wordfence Bug Bounty Program

Through December 9th, 2024, all in-scope vulnerability types for WordPress plugins/themes with >= 1,000 Active Installations are in-scope for ALL researchers, all plugins and themes that are hosted in the WordPress.org repository with at least 50 active installs that have been updated in the last 2 years will be in-scope for ALL researchers, the minimum bounty awarded for all in-scope submissions will be $5, and ALL researchers earn automatic bonuses of 5%-180% for valid submissions in software with 1,000 - 4,999,999 active installs, pending report limits are increased for all, and it's possible to earn up to $31,200 for high impact vulnerabilities!

Review what's in scope for your tier and updated bounties with bonuses here!

UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP

Wordfence Intelligence > Vulnerability Database > WordPress Plugins > UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP

Information

Software Type	Plugin
Software Slug	userswp (view on wordpress.org)
Software Status	Active
Software Author	stiofansisland
Software Website	userswp.io
Software Downloads	845,950
Software Active Installs	20,000
Software Record Last Updated	December 3, 2024

9 Vulnerabilities

Submit a Vulnerability

UsersWP <= 1.2.15 - Missing Authorization

5.3

CVE-2024-43277

Aug 16, 2024

Researcher: Ananda Dhakal

UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP <= 1.2.11 - Unauthenticated Information Disclosure via Unprotected Directories

5.3

CVE-2024-6477

Jul 13, 2024

Researcher: Majdeddine Ben Hadj Brahim

UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress <= 1.2.10 - Unauthenticated SQL Injection via 'uwp_sort_by'

9.8

CVE-2024-6265

Jun 28, 2024

Researcher: Trương Hữu Phúc (truonghuuphuc)

UsersWP <= 1.2.4 - Cross-Site Request Forgery

4.3

CVE-2024-31936

Apr 10, 2024

Researcher: Brandon James Roldan (tomorrowisnew)

UsersWP <= 1.2.6 - Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVE-2024-2423

Mar 14, 2024

Researcher: Krzysztof Zając

UsersWP <= 1.2.3.22 - Cross-Site Request Forgery

4.3

CVE ID Unknown

Nov 1, 2023

Researchers:

UsersWP <= 1.2.3.9 - Authenticated (Administrator+) CSV Injection

5.5

CVE-2022-47442

Dec 21, 2022

Researcher: Justiice

UsersWP <= 1.2.3 - Subscriber+ User Avatar Override

4.3

CVE-2022-0442

Feb 14, 2022

Researcher: Felipe de Avila

UsersWP – User Registration & User Profile <= 1.2.2.28 - Reflected Cross-Site Scripting

6.1

CVE ID Unknown

Sep 6, 2021

Researcher: WPScanTeam

Title	Status	CVE ID	CVSS	Researchers	Date
UsersWP <= 1.2.15 - Missing Authorization	Patched	CVE-2024-43277	5.3	Ananda Dhakal	August 16, 2024
UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP <= 1.2.11 - Unauthenticated Information Disclosure via Unprotected Directories	Patched	CVE-2024-6477	5.3	Majdeddine Ben Hadj Brahim	July 13, 2024
UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress <= 1.2.10 - Unauthenticated SQL Injection via 'uwp_sort_by'	Patched	CVE-2024-6265	9.8	Trương Hữu Phúc (truonghuuphuc)	June 28, 2024
UsersWP <= 1.2.4 - Cross-Site Request Forgery	Patched	CVE-2024-31936	4.3	Brandon James Roldan (tomorrowisnew)	April 10, 2024
UsersWP <= 1.2.6 - Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode	Patched	CVE-2024-2423	6.4	Krzysztof Zając	March 14, 2024
UsersWP <= 1.2.3.22 - Cross-Site Request Forgery	Patched		4.3		November 1, 2023
UsersWP <= 1.2.3.9 - Authenticated (Administrator+) CSV Injection	Patched	CVE-2022-47442	5.5	Justiice	December 21, 2022
UsersWP <= 1.2.3 - Subscriber+ User Avatar Override	Patched	CVE-2022-0442	4.3	Felipe de Avila	February 14, 2022
UsersWP – User Registration & User Profile <= 1.2.2.28 - Reflected Cross-Site Scripting	Patched		6.1	WPScanTeam	September 6, 2021

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation