CVE-2026-4979 MEDIUM

CVE-2026-4979: UsersWP <= 1.2.58 - Authenticated (Subscriber+) Server-Side Request Forgery via 'uwp_crop' Parameter

Vendor Stiofansisland
Product UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP
Weakness CWE-918 · SSRF
Published April 11, 2026
Last update April 13, 2026

CVSS base score

5.0/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

What the vulnerability does

01Description

The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP plugin for WordPress is vulnerable to blind Server-Side Request Forgery in all versions up to, and including, 1.2.58. This is due to insufficient URL origin validation in the process_image_crop() method when processing avatar/banner image crop operations. The function accepts a user-controlled URL via the uwp_crop POST parameter and only validates it using esc_url() for sanitization and wp_check_filetype() for extension verification, without enforcing that the URL references a local uploads file. The URL is then passed to uwp_resizeThumbnailImage() which uses it in PHP image processing functions (getimagesize(), imagecreatefrom*()) that support URL wrappers and perform outbound HTTP requests. This makes it possible for authenticated attackers with subscriber-level access and above to coerce the WordPress server into making arbitrary HTTP requests to attacker-controlled or internal network destinations, enabling internal network scanning and potential access to sensitive services.

Explanation of Vulnerability in Simple Terms

02Summary

UsersWP versions up to 1.2.58 contain a server-side request forgery vulnerability that allows authenticated users to make the site send HTTP requests to internal or external systems on the attacker's behalf. The vulnerability requires a logged-in account but no additional user interaction. An attacker can use this to access internal services, retrieve sensitive data, or perform actions on behalf of the site.

What an attacker can do

03Attacker Capabilities

Make your site send HTTP requests to internal systems or external servers under the attacker's control.

Potential impact on your site

04Site Impact

Attackers with user accounts can probe your internal network, access private APIs, or exfiltrate data through your site.

Conditions required to exploit

05Prerequisites

Attacker must have a valid WordPress user account with at least low-level privileges.

Key dates

06Disclosure timeline

April 11, 2026 CVE published
April 13, 2026 Record updated