What the vulnerability does
01Description
The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress is vulnerable to Improper Access Control in all versions up to, and including, 1.2.58 This is due to insufficient field-level permission validation in the upload_file_remove() AJAX handler where the $htmlvar parameter is not validated against a whitelist of allowed fields or checked against the field's for_admin_use property. This makes it possible for authenticated attackers, with subscriber-level access and above, to clear or reset any restricted usermeta column for their own user record, including fields marked as "For admin use only", bypassing intended field-level access restrictions.
Explanation of Vulnerability in Simple Terms
02Summary
The UsersWP plugin for WordPress versions 1.2.58 and earlier contains an authorization bypass that allows authenticated users to modify data they should not have access to. An attacker with a low-privilege account can change information belonging to other users or the site. The vulnerability requires an active WordPress login but no additional user interaction.
What an attacker can do
03Attacker Capabilities
Modify user data or settings belonging to other users on the site.
Potential impact on your site
04Site Impact
Any registered user can alter other users' profiles, settings, or data without permission.
Conditions required to exploit
05Prerequisites
Attacker must have a valid WordPress user account with low privileges (e.g., subscriber or contributor role).
Key dates
06Disclosure timeline
April 10, 2026
CVE published
April 10, 2026
Record updated