CVE-2025-67593

A Cross-Site Request Forgery (CSRF) vulnerability exists in the UsersWP plugin for WordPress, affecting versions up to and including 1.2.48 [1]. The issue arises from insufficient validation of requests, enabling attackers to craft malicious links or forms that, when clicked by an authenticated administrator, perform unintended actions on the vulnerable site.

Exploitation requires user interaction: a privileged user must be tricked into clicking a malicious link or visiting a crafted page while authenticated [1]. No special network position is required; the attack can be executed remotely via deceptive content. This makes it suitable for mass-exploit campaigns targeting multiple sites.

A successful CSRF attack could allow an attacker to force a higher-privileged user to execute unwanted actions, such as changing settings or modifying user data, under the victim's current authentication [1]. The impact is limited by the low severity and the need for user interaction.

The vulnerability has been patched in version 1.2.49 of UsersWP [1]. Users are strongly advised to update immediately or enable auto-updates for vulnerable plugins via Patchstack or other security tools. As a workaround, hosting providers or developers can assist users unable to update promptly.