CVE-2025-9344 in UsersWP Plugin
Summary
by MITRE • 08/28/2025
The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'uwp_profile' and 'uwp_profile_header' shortcodes in all versions up to, and including, 1.2.42 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 08/28/2025
The vulnerability identified as CVE-2025-9344 affects the UsersWP plugin for WordPress, specifically targeting versions through 1.2.42. This plugin provides front-end login forms, user registration capabilities, profile management, and members directory functionality. The flaw manifests through two critical shortcodes: 'uwp_profile' and 'uwp_profile_header' which are susceptible to stored cross-site scripting attacks due to inadequate input validation and output escaping mechanisms. The vulnerability exists because the plugin fails to properly sanitize user-supplied attributes before processing them, creating an attack vector that allows malicious code injection.
The technical implementation of this vulnerability stems from insufficient sanitization of shortcode attributes within the plugin's core functionality. When administrators or users with contributor-level access and above utilize these shortcodes, the plugin accepts and processes user input without adequate filtering or escaping. This allows attackers to inject malicious JavaScript code through attributes that are then stored within the WordPress database. The stored nature of this vulnerability means that the malicious code persists and executes whenever any user accesses pages containing the injected content, making it particularly dangerous as it can affect multiple users without requiring additional exploitation steps.
The operational impact of this vulnerability extends beyond simple script execution as it creates a persistent threat vector that can be leveraged for various malicious activities. An authenticated attacker with contributor privileges can inject scripts that might redirect users to phishing sites, steal session cookies, or perform unauthorized actions on behalf of victims. The vulnerability affects all users who access pages containing the compromised shortcodes, potentially leading to widespread compromise of user accounts and sensitive data exposure. The stored nature of the XSS vulnerability means that the attack remains active until the malicious content is manually removed from the database, creating a long-term security risk.
From a security framework perspective, this vulnerability aligns with CWE-79 (Cross-Site Scripting) and represents a classic case of insufficient input sanitization leading to code execution. The attack pattern follows typical ATT&CK techniques for initial access and privilege escalation, where an attacker with limited contributor access can escalate their impact by injecting persistent malicious code. The vulnerability demonstrates poor security practices in output escaping and input validation that violate fundamental web application security principles. Organizations should prioritize immediate patching of this vulnerability and implement additional monitoring for unauthorized shortcode modifications. The recommended mitigation includes upgrading to a patched version of the UsersWP plugin, implementing strict content filtering policies, and conducting regular security audits of all active WordPress plugins to prevent similar vulnerabilities from being introduced into the system.