CVE-2026-4977 Overview
CVE-2026-4977 is an improper access control vulnerability [CWE-862] affecting the UsersWP plugin for WordPress. The flaw exists in all versions up to and including 1.2.58. The plugin provides front-end login forms, user registration, user profiles, and a members directory across WordPress sites.
The issue resides in the upload_file_remove() AJAX handler. The handler fails to validate the $htmlvar parameter against a whitelist of allowed fields or check the for_admin_use property. Authenticated users with subscriber-level access can clear or reset restricted usermeta columns on their own user record.
Critical Impact
Authenticated attackers with subscriber-level privileges can bypass field-level access restrictions and modify usermeta fields marked "For admin use only" on their own account.
Affected Products
- UsersWP WordPress plugin versions 1.2.58 and earlier
- WordPress sites using the front-end login form, user registration, profile, and members directory features
- Sites relying on the for_admin_use field property for access enforcement
Discovery Timeline
- 2026-04-10 - CVE-2026-4977 published to the National Vulnerability Database
- 2026-04-24 - Last updated in NVD database
Technical Details for CVE-2026-4977
Vulnerability Analysis
The vulnerability stems from missing authorization checks in the UsersWP plugin's file removal AJAX endpoint. The upload_file_remove() function accepts an $htmlvar parameter from the request without validating whether the field is permitted for modification by the current user.
The plugin defines a for_admin_use property on certain user meta fields. This property indicates that the field should only be writable by administrators. The AJAX handler ignores this property entirely when processing removal requests.
As a result, any authenticated user can submit a crafted AJAX request that targets a restricted usermeta column. The handler then clears or resets the field value on the requesting user's own record. The relevant code paths are documented in class-forms.php and class-meta.php within the UsersWP source tree.
Root Cause
The root cause is insufficient field-level permission validation [CWE-862]. The upload_file_remove() AJAX handler trusts the user-supplied $htmlvar value without comparing it against an allowlist of fields the current user is permitted to modify. It also does not consult the for_admin_use field metadata before applying changes.
Attack Vector
An attacker requires authenticated access at the subscriber level or higher. The attacker sends an AJAX POST request to the WordPress admin-ajax.php endpoint, invoking the UsersWP file removal action. The request includes the targeted restricted field name as the htmlvar parameter.
The handler executes the removal against the attacker's own user record. This allows the attacker to overwrite or clear administrator-controlled metadata such as verification flags, role attributes, or other sensitive profile fields. The impact is limited to integrity of the attacker's own user metadata. See the Wordfence Vulnerability Report for additional analysis.
No verified public proof-of-concept code is available. The vulnerability mechanism can be reviewed in the WordPress plugin repository source.
Detection Methods for CVE-2026-4977
Indicators of Compromise
- AJAX POST requests to admin-ajax.php with the action parameter targeting the UsersWP upload_file_remove handler
- Unexpected htmlvar parameter values referencing fields with the for_admin_use property
- Unauthorized changes to usermeta rows where the meta_key corresponds to admin-restricted UsersWP fields
- Subscriber-level accounts generating high volumes of profile field manipulation requests
Detection Strategies
- Review WordPress access logs for requests to admin-ajax.php containing the uwp or upload_file_remove action and capture the associated user ID and htmlvar value
- Audit the wp_usermeta table for unexplained empty values on fields configured as administrator-only
- Compare current UsersWP plugin version against the fixed release 1.2.59 using site inventory tooling
Monitoring Recommendations
- Enable verbose logging on WordPress AJAX endpoints and forward events to a centralized SIEM for correlation
- Alert on subscriber-level accounts invoking plugin AJAX actions tied to profile field removal
- Track plugin version drift across managed WordPress instances and flag installations still on 1.2.58 or earlier
How to Mitigate CVE-2026-4977
Immediate Actions Required
- Upgrade the UsersWP plugin to version 1.2.59 or later on every affected WordPress site
- Audit existing subscriber and contributor accounts for unauthorized changes to admin-only profile fields
- Restrict new user registration where feasible until patching is complete
Patch Information
The vendor released UsersWP 1.2.59 to address the issue. The fix introduces validation against the field allowlist and enforces the for_admin_use property in the upload_file_remove() handler. The full diff is available in the WordPress Change Log.
Workarounds
- Disable the UsersWP plugin on sites that cannot immediately upgrade to 1.2.59
- Apply a web application firewall rule that blocks admin-ajax.php requests where the action parameter matches the UsersWP file removal handler
- Remove the for_admin_use flag dependency by temporarily storing sensitive attributes outside usermeta
# Example WP-CLI command to verify the installed UsersWP version
wp plugin get userswp --field=version
# Upgrade UsersWP to the patched release
wp plugin update userswp --version=1.2.59
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
