UsersWP < 1.2.61 – Authenticated (Subscriber+) Stored Cross-Site Scripting via User Badge Link Substitution | CVE 2026-5742 | Plugin Vulnerabilities

Description

The UsersWP plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 1.2.60. This is due to insufficient input sanitization of user-supplied URL fields and improper output escaping when rendering user profile data in badge widgets. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts that will execute whenever a user accesses a page containing the affected badge widget.

Affects Plugins

Fixed in 1.2.61

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/bdb619c5-967c-4b8c-8a93-bcdb49137d56

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Osvaldo Noe Gonzalez Del Rio (Os)

Verified

No

WPVDB ID

ce42c598-fb05-48c0-8e6c-bc3e78f64dda

Timeline

Publicly Published

2026-04-08 (about 2 months ago)

Added

2026-04-08 (about 2 months ago)

Last Updated

2026-04-09 (about 2 months ago)

Other

Published

Title

Published

2023-10-18

Title

Tweeple <= 0.9.5 - Reflected XSS

Published

2025-01-03

Title

Piotnet Addons For Elementor < 2.4.32 - Contributor+ Stored XSS

Published

2025-06-26

Title

Content Manager Light <= 3.2 - Reflected Cross-Site Scripting

Published

2025-01-23

Title

Simple Video Management System <= 1.0.4 - Admin+ Stored XSS

Published

2020-09-09

Title

LearnPress < 3.2.7.3 - CSRF & XSS