Vulnerabilities ›

CVE-2026-5742

Medium

CWE-79 — Weakness Type

                    Published: Apr 9, 2026                      ·  Modified: Apr 12, 2026                      ·  Source: NVD                

CVSS v3

6.4

🔗 NVD Official

📄 Description (English)

The UsersWP plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 1.2.60. This is due to insufficient input sanitization of user-supplied URL fields and improper output escaping when rendering user profile data in badge widgets. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts that will execute whenever a user accesses a page containing the affected badge widget.

🤖 AI Executive Summary

The UsersWP WordPress plugin versions up to 1.2.60 contain a Stored XSS vulnerability in badge widgets due to insufficient input sanitization of URL fields. Authenticated subscribers can inject malicious scripts that execute when users view pages with affected widgets.

📄 Description (Arabic)

ثغرة Stored XSS في مكون UsersWP تؤثر على أدوات الشارات بسبب عدم تعقيم مدخلات حقول URL بشكل كافٍ. يمكن للمهاجمين المصرحين على مستوى المشترك أو أعلى حقن برامج نصية ضارة تُنفذ عند وصول المستخدمين إلى الصفحات المحتوية على الأداة المتأثرة.

🤖 ملخص تنفيذي (AI)

يحتوي مكون UsersWP لـ WordPress في الإصدارات حتى 1.2.60 على ثغرة XSS مخزنة في أدوات الشارات بسبب عدم كفاية تعقيم المدخلات. يمكن للمشتركين المصرحين بحقن برامج نصية ضارة تُنفذ عند عرض الصفحات.

🤖 AI Intelligence Analysis Analyzed: May 14, 2026 03:16

🇸🇦 Saudi Arabia Impact Assessment

Saudi Relevance: high

🏢 Affected Saudi Sectors

government banking telecom healthcare

🎯 MITRE ATT&CK Techniques

T1190 T1598 T1566

⚖️ Saudi Risk Score (AI)

6.0

/ 10.0

🔧 Remediation Steps (English)

Update UsersWP plugin to version 1.2.61 or later immediately. Implement Web Application Firewall (WAF) rules to detect and block XSS payloads. Review and audit all user profiles for suspicious badge widget content. Restrict subscriber-level permissions if not required for business operations. Enable WordPress security plugins with XSS protection capabilities.

🔧 خطوات المعالجة (العربية)

قم بتحديث مكون UsersWP إلى الإصدار 1.2.61 أو أحدث فوراً. طبق قواعد جدار حماية تطبيقات الويب لكشف حقن XSS. راجع جميع ملفات المستخدمين للتحقق من المحتوى المريب. قيد صلاحيات المشتركين إذا لم تكن مطلوبة. فعّل مكونات أمان WordPress مع حماية XSS.

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

5.3.1 5.3.2

🔵 SAMA CSF

CC-6.2 CC-7.2

🟡 ISO 27001:2022

A.14.2.1 A.14.2.5

🔗 References & Sources 10

🔗

https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.55/includes/class-forms.php...

security@wordfence.com

🔗

https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.55/includes/helpers/pages.p...

security@wordfence.com

🔗

https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.55/includes/helpers/pages.p...

security@wordfence.com

🔗

https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.55/vendor/ayecode/wp-ayecod...

security@wordfence.com

🔗

https://plugins.trac.wordpress.org/browser/userswp/trunk/includes/class-forms.php#L1963

security@wordfence.com

🔗

https://plugins.trac.wordpress.org/browser/userswp/trunk/includes/helpers/pages.php#L39...

security@wordfence.com

🔗

https://plugins.trac.wordpress.org/browser/userswp/trunk/includes/helpers/pages.php#L52...

security@wordfence.com

🔗

https://plugins.trac.wordpress.org/browser/userswp/trunk/vendor/ayecode/wp-ayecode-ui/i...

security@wordfence.com

🔗

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=350169...

security@wordfence.com

🔗

https://www.wordfence.com/threat-intel/vulnerabilities/id/bdb619c5-967c-4b8c-8a93-bcdb4...

security@wordfence.com

📊 CVSS Score

6.4

/ 10.0 — Medium

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeC — Changed

ConfidentialityL — Low / Local

IntegrityL — Low / Local

AvailabilityN — None / Network

📋 Quick Facts

Severity Medium

CVSS Score6.4

CWECWE-79

EPSS0.06%

Exploit No

Patch ✗ No

Published 2026-04-09

Source Feed nvd

🇸🇦 Saudi Risk Score

6.0

/ 10.0 — Saudi Risk

Priority: MEDIUM

🏷️ Tags

CWE-79

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2026-5742

Introduce Yourself

Sign In Required