{"id":"CVE-2025-9344","details":"The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'uwp_profile' and 'uwp_profile_header' shortcodes in all versions up to, and including, 1.2.42 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","modified":"2026-04-10T05:38:30.161436Z","published":"2025-08-28T03:15:38.523Z","references":[{"type":"WEB","url":"https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3349701%40userswp&new=3349701%40userswp&sfp_email=&sfph_mail="},{"type":"WEB","url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/0ecba857-03d8-4a2e-9450-146d442f5533?source=cve"},{"type":"FIX","url":"https://github.com/AyeCode/userswp/commit/2e18c3f70a3f24f4f4ef2ec44d38fda82866c902"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ayecode/userswp","events":[{"introduced":"0"},{"fixed":"2e18c3f70a3f24f4f4ef2ec44d38fda82866c902"}]}],"versions":["1.0.1","1.0.10","1.0.11","1.0.12","1.0.13","1.0.14","1.0.15","1.0.16","1.0.17","1.0.18","1.0.19","1.0.2","1.0.20","1.0.21","1.0.22","1.0.23","1.0.24","1.0.3","1.0.4","1.0.5","1.0.6","1.0.7","1.0.8","1.0.9","1.1.0","1.1.1","1.1.2","1.1.3","1.2.0","1.2.0.1","1.2.0.10","1.2.0.11","1.2.0.12","1.2.0.2","1.2.0.3","1.2.0.4","1.2.0.5","1.2.0.6","1.2.0.7","1.2.0.8","1.2.0.9","1.2.1","1.2.1.1","1.2.1.2","1.2.1.3","1.2.1.4","1.2.1.5","1.2.1.6","1.2.1.7","1.2.1.8","1.2.1.9","1.2.10","1.2.11","1.2.12","1.2.13","1.2.14","1.2.15","1.2.16","1.2.17","1.2.18","1.2.19","1.2.2","1.2.2.1","1.2.2.10","1.2.2.11","1.2.2.12","1.2.2.13","1.2.2.14","1.2.2.15","1.2.2.16","1.2.2.17","1.2.2.18","1.2.2.19","1.2.2.2","1.2.2.20","1.2.2.21","1.2.2.22","1.2.2.23","1.2.2.24","1.2.2.25","1.2.2.26","1.2.2.27","1.2.2.28","1.2.2.29","1.2.2.3","1.2.2.30","1.2.2.31","1.2.2.32","1.2.2.33","1.2.2.34","1.2.2.35","1.2.2.36","1.2.2.37","1.2.2.4","1.2.2.5","1.2.2.6","1.2.2.7","1.2.2.8","1.2.2.9","1.2.20","1.2.23","1.2.24","1.2.25","1.2.26","1.2.27","1.2.28","1.2.29","1.2.3","1.2.3.1","1.2.3.10","1.2.3.11","1.2.3.12","1.2.3.13","1.2.3.14","1.2.3.15","1.2.3.16","1.2.3.17","1.2.3.18","1.2.3.19","1.2.3.2","1.2.3.20","1.2.3.21","1.2.3.22","1.2.3.23","1.2.3.24","1.2.3.3","1.2.3.4","1.2.3.5","1.2.3.6","1.2.3.7","1.2.3.8","1.2.3.9","1.2.30","1.2.31","1.2.32","1.2.33","1.2.34","1.2.35","1.2.36","1.2.37","1.2.38","1.2.39","1.2.4","1.2.40","1.2.41","1.2.5","1.2.6","1.2.7","1.2.8","1.2.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-9344.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}]}