The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress is vulnerable to Improper Access Control in all versions up to, and including, 1.2.58 This is due to insufficient field-level permission validation in the upload_file_remove() AJAX handler where the $htmlvar parameter is not validated against a whitelist of allowed fields or checked against the field's for_admin_use property. This makes it possible for authenticated attackers, with subscriber-level access and above, to clear or reset any restricted usermeta column for their own user record, including fields marked as "For admin use only", bypassing intended field-level access restrictions.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
Low
Basic privileges needed
User Interaction
None
No user interaction needed
Impact Assessment
Confidentiality
None
No data leak
Integrity
Low
Partial data modification
Availability
None
No disruption
CVSS Vector v3.1
Weakness Type (CWE)
References 8
https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.54/includes/class-f…
security@wordfence.com
https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.54/includes/class-f…
security@wordfence.com
https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.54/includes/class-m…
security@wordfence.com
https://plugins.trac.wordpress.org/browser/userswp/trunk/includes/class-forms.p…
security@wordfence.com
https://plugins.trac.wordpress.org/browser/userswp/trunk/includes/class-forms.p…
security@wordfence.com
https://plugins.trac.wordpress.org/browser/userswp/trunk/includes/class-meta.ph…
security@wordfence.com
https://plugins.trac.wordpress.org/changeset?old_path=%2Fuserswp/tags/1.2.58&ne…
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/efee685c-e2cd-471b-ae…
security@wordfence.com