CVE-2026-25015

Vulnerability

Overview

The UsersWP plugin for WordPress versions from n/a through 1.2.53 contains a Cross-Site Request Forgery (CSRF) vulnerability [1]. This type of vulnerability allows an attacker to trick an authenticated user into performing actions they did not intend to take, by crafting a malicious link or form that the victim unknowingly submits while authenticated [1].

Exploitation

Requirements

To exploit this CSRF vulnerability, the attacker must convince a privileged user (such as an administrator) to interact with a crafted link, visit a malicious page, or submit a specially designed form [1]. No authentication is required for the attacker, but the victim must have an active session with the vulnerable WordPress site [1].

Impact

Successful exploitation could allow a malicious actor to force the higher-privileged user to execute unwanted actions under their current authentication state [1]. This could lead to unauthorized changes to the site's configuration, user data, or other administrative functions, depending on the specific actions the vulnerable plugin exposes.

Mitigation

The vulnerability has been addressed in version 1.2.54 of the UsersWP plugin [1]. Users are strongly advised to update to this version or later immediately to mitigate the risk [1]. The vendor recommends using auto-updates for vulnerable plugins, and users who cannot update should contact their hosting provider or web developer for assistance [1].