CVE-2026-4977
Received Received - Intake
Improper Access Control in UsersWP Plugin Allows Usermeta Manipulation

Publication date: 2026-04-10

Last updated on: 2026-04-10

Assigner: Wordfence

Description
The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress is vulnerable to Improper Access Control in all versions up to, and including, 1.2.58 This is due to insufficient field-level permission validation in the upload_file_remove() AJAX handler where the $htmlvar parameter is not validated against a whitelist of allowed fields or checked against the field's for_admin_use property. This makes it possible for authenticated attackers, with subscriber-level access and above, to clear or reset any restricted usermeta column for their own user record, including fields marked as "For admin use only", bypassing intended field-level access restrictions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-10
Last Modified
2026-04-10
Generated
2026-06-16
AI Q&A
2026-04-11
EPSS Evaluated
2026-06-15
NVD
CVE-2026-4977
EUVD
EUVD-2026-21266
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
userswp userswp to 1.2.58 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows authenticated users with subscriber-level access and above to bypass intended field-level access restrictions and clear or reset restricted usermeta fields, including those marked "For admin use only".

This improper access control could potentially lead to unauthorized modification of user data, which may impact compliance with data protection standards and regulations such as GDPR and HIPAA that require strict access controls and protection of sensitive user information.

Executive Summary

The vulnerability exists in the UsersWP WordPress plugin, specifically in the upload_file_remove() AJAX handler. It occurs because the plugin does not properly validate the $htmlvar parameter against a whitelist of allowed fields or check if the field is marked for admin use only.

As a result, authenticated users with subscriber-level access or higher can bypass intended field-level access restrictions and clear or reset any restricted usermeta column for their own user record, including those fields meant only for administrators.

Impact Analysis

This vulnerability allows authenticated users with low-level access (subscriber-level and above) to modify restricted user metadata fields for their own accounts that should normally be protected.

The impact is limited to integrity issues where users can reset or clear sensitive fields that are intended only for admin use, potentially leading to unauthorized changes in user profile data.

The CVSS score of 4.3 indicates a low to medium severity impact, with no confidentiality or availability impact, but with some integrity impact.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4977. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart