We’re actively acquiring WordPress agencies. Sell your WordPress business to Freshy.
Let’s discuss

UsersWP Plugin Vulnerability (CVE-2026-4979)

Nick Paliughi
On this page

Security Alert Summary

The UsersWP front-end login, registration, profile and members directory plugin for WordPress contains a blind Server-Side Request Forgery (SSRF) vulnerability in the image crop handling. An authenticated user with low privileges can supply a URL that is not restricted to local uploads, causing the server to make outbound HTTP requests during image processing. This can be used to probe internal network services or reach attacker-controlled endpoints.

CVE Details

  • CVE ID: CVE-2026-4979
  • Affected component: UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress
  • Affected versions: All versions up to and including 1.2.58
  • Published: April 11, 2026 at 2:16:02 AM UTC
  • Last modified: April 11, 2026 at 2:16:02 AM UTC
  • CVSS v3.1 base score: 5.0 (MEDIUM)
  • Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
  • Attack vector / complexity: Network / Low
  • Authentication / privileges / user interaction: Requires authentication with low privileges (e.g., subscriber-level or higher); no user interaction
  • Primary impact: Confidentiality: Low; Integrity: None; Availability: None
  • CWE: CWE-918 (Server-Side Request Forgery)

Technical Details

The vulnerability is caused by insufficient URL origin validation in the process_image_crop() method when handling avatar and banner image crop operations. The function accepts a user-controlled URL via the uwp_crop POST parameter and performs only esc_url() sanitization and wp_check_filetype() extension checks, without enforcing that the URL references a local uploads file.

The provided URL is then passed to uwp_resizeThumbnailImage(), which uses PHP image processing functions such as getimagesize() and imagecreatefrom*(). These functions support URL wrappers and can perform outbound HTTP requests. Because the plugin does not restrict the URL to local files, an authenticated low-privileged user can cause the server to make arbitrary HTTP requests to attacker-controlled targets or internal network addresses, enabling internal network scanning and potential access to sensitive services.

How This Could Impact Your Website

Consider a site where the owner manages content, internal staff publish posts, and external contractors supply media. An authenticated contributor or subscriber could submit a crafted image crop request that forces your server to reach internal services or external endpoints. The direct technical impact is limited to information disclosure via server-initiated requests (confidentiality impact rated low), but that may still expose internal endpoints or response headers that reveal service versions or metadata.

Practical consequences include increased ability for an attacker to map internal network services and to use any exposed information to stage targeted phishing or social engineering against staff or contractors. If internal APIs or services return sensitive information, those responses could be accessed by the attacker via the SSRF channel.

If youre unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review of your setup.

Recommended Actions

  • Update the affected plugin as soon as a patched version is available.
  • Review and reduce unnecessary user roles, especially contributor and subscriber accounts.
  • Enforce strong passwords and enable two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins from the site.
  • Monitor site and server activity for unusual outbound requests or unexpected image processing actions.

If youd like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

Nick Paliughihttps://freshysites.com/team/nick-paliughi/
Nick was born in California and now resides in Lake Worth, FL. He has 10 years of experience building and maintaining sites in WordPress, which he is excited to put to use at Freshy. Prior to starting at Freshy in 2022 his focus was on WordPress security & malware removal. When he’s not tending to your website, Nick is installing exhibitions at art galleries and museums in Palm Beach County, and if he’s lucky surfing at the Lake Worth pier.

See our featured website design work

Check out some of the beautiful websites we’ve built for over 2,000 clients.

View projects

We offer WordPress support & maintenance

Shake the stress of ongoing maintenance with plans supported by our team of WordPress experts.

Learn more
Previous Post
GreenShift – Animation and Page Builder Blocks Plugin Vulnerability (CVE-2026-4895)
Next Post
Tutor LMS – eLearning and online course solution Plugin Vulnerability (CVE-2026-3371)