WordPress Plugin Vulnerabilities

UsersWP < 1.2.16 - Missing Authorization

Description

The UsersWP plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the activation_redirect() function in versions up to, and including, 1.2.15. This makes it possible for unauthenticated attackers to trigger the activation redirect.

Affects Plugins

Plugin icon
userswp
Fixed in 1.2.16

References

CVE
CVE-2024-43277
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/ab5a88a9-55ff-428d-9ce2-3247f5d48266

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Ananda Dhakal
Verified
No
WPVDB ID
8a290432-42b7-4962-a9da-6bf2d0e3c747

Timeline

Publicly Published
2024-08-16 (about 1 year ago)
Added
2024-08-19 (about 1 year ago)
Last Updated
2024-08-19 (about 1 year ago)

Other

Published
Title
Published
2022-03-14
Title
Amelia < 1.0.48 - Customer+ SMS Service Abuse and Sensitive Data Disclosure
Published
2025-12-31
Title
Walker for Elementor <= 1.1.6 - Missing Authorization
Published
2026-04-16
Title
Ultra Addons for WPForms < 1.0.12 - Missing Authorization
Published
2024-03-28
Title
Events Manager < 6.4.7 - Missing Authorization
Published
2025-06-19
Title
WooCommerce Manager – Customize and Control Cart page, Add to Cart button, Checkout fields easily <= 1.2.4.5 - Missing Authorization