CVE-2026-25015 MEDIUM

CVE-2026-25015: WordPress UsersWP plugin <= 1.2.53 - Cross Site Request Forgery (CSRF) vulnerability

Vendor Stiofan

Product UsersWP

Weakness CWE-352 · CSRF

Published February 3, 2026

Last update April 28, 2026

View on NVD All CVEs

CVSS base score

4.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality None

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

Cross-Site Request Forgery (CSRF) vulnerability in Stiofan UsersWP userswp allows Cross Site Request Forgery.This issue affects UsersWP: from n/a through <= 1.2.53.

Explanation of Vulnerability in Simple Terms

02Summary

UsersWP versions up to 1.2.53 contain a cross-site request forgery (CSRF) vulnerability that allows attackers to perform unauthorized actions on behalf of site users. An attacker can craft a malicious link or page that, when visited by a logged-in user, triggers unwanted changes. The vulnerability requires user interaction and does not expose sensitive data, but can modify site content or settings.

What an attacker can do

03Attacker Capabilities

Trick a logged-in user into performing unwanted actions on the site, such as changing settings or data.

Potential impact on your site

04Site Impact

Users' accounts can be manipulated to perform actions without their knowledge if they visit untrusted links while logged in.

Conditions required to exploit

05Prerequisites

Victim must be logged in and click a malicious link or visit an attacker-controlled page.

Key dates

06Disclosure timeline

February 3, 2026 CVE published

April 28, 2026 Record updated

External resources

07References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-25015 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/352.html

Related vulnerabilities