Stored XSS in UsersWP WP Plugin URL Fields (1.2.60)
CVE-2026-5742 Published on April 9, 2026
UsersWP <= 1.2.60 - Authenticated (Subscriber+) Stored Cross-Site Scripting via User Badge Link Substitution
The UsersWP plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 1.2.60. This is due to insufficient input sanitization of user-supplied URL fields and improper output escaping when rendering user profile data in badge widgets. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts that will execute whenever a user accesses a page containing the affected badge widget.
Timeline
Vendor Notified
Disclosed 1 day later.
Weakness Type
What is a XSS Vulnerability?
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CVE-2026-5742 has been classified to as a XSS vulnerability or weakness.
Affected Versions
stiofansisland UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP:- Before and including 1.2.60 is affected.