UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress, CVE-2025-9344

CVE, Research URL: CVE-2025-9344
Home page URL: Security reports for UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress
Application: UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress
Published on: Aug 28, 2025
Research Description: The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'uwp_profile' and 'uwp_profile_header' shortcodes in all versions up to, and including, 1.2.42 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 1.2.43.
Status: vulnerable

UsersWP &#8211; Front-end login form, User Registration, User Profile &amp; Members Directory plugin for WordPress, CVE-2025-9344