UsersWP Plugin SSRF Vulnerability Exposes WordPress Sites

A critical blind Server-Side Request Forgery (SSRF) vulnerability has been identified in the UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress. According to CVE Notify, this flaw, tracked as CVE-2026-4979, affects all versions up to and including 1.2.58.

The vulnerability stems from inadequate URL origin validation within the process_image_crop() method. This function, used for avatar and banner image crop operations, accepts a user-controlled URL via the uwp_crop POST parameter. CVE Notify highlights that while esc_url() and wp_check_filetype() are used for sanitization and extension verification, they fail to enforce that the URL references a local uploads file. Consequently, the URL is passed to uwp_resizeThumbnailImage(), which then uses it in PHP image processing functions like getimagesize() and imagecreatefrom*(). These functions, supporting URL wrappers, perform outbound HTTP requests.

This oversight creates a significant attack vector. Authenticated attackers, even those with subscriber-level access, can exploit this to coerce the WordPress server into making arbitrary HTTP requests. This effectively allows for internal network scanning and potential access to sensitive services, turning a seemingly benign image processing function into a pivot for network reconnaissance and potential breach.