CVE-2026-4977
CWE-862Published: April 10, 2026· Updated: Apr 13, 2026
Official Description
The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress is vulnerable to Improper Access Control in all versions up to, and including, 1.2.58 This is due to insufficient field-level permission validation in the upload_file_remove() AJAX handler where the $htmlvar parameter is not validated against a whitelist of allowed fields or checked against the field's for_admin_use property. This makes it possible for authenticated attackers, with subscriber-level access and above, to clear or reset any restricted usermeta column for their own user record, including fields marked as "For admin use only", bypassing intended field-level access restrictions.
Technical Analysis
CVE-2026-4977 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.
Exploitation requires low privileges, which limits the exposure to scenarios where an attacker has already gained initial access.
A proof-of-concept (PoC) exploit exists for CVE-2026-4977. While not yet confirmed in active campaigns, the availability of PoC code increases exploitation risk substantially.
CVSS v3.1 Vector Breakdown
Affected Vendors & Products
Exploit & PoC Resources
All References (8)
Quick Facts
Related CVEs (CWE-862)
Recommended Actions
- →Apply vendor patches immediately
- →Monitor CVE-2026-4977 in threat intel feeds
- →Review IDS/IPS signatures for exploitation attempts