{"id":"CVE-2026-4979","summary":"UsersWP \u003c= 1.2.58 - Authenticated (Subscriber+) Server-Side Request Forgery via 'uwp_crop' Parameter","details":"The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP plugin for WordPress is vulnerable to blind Server-Side Request Forgery in all versions up to, and including, 1.2.58. This is due to insufficient URL origin validation in the process_image_crop() method when processing avatar/banner image crop operations. The function accepts a user-controlled URL via the uwp_crop POST parameter and only validates it using esc_url() for sanitization and wp_check_filetype() for extension verification, without enforcing that the URL references a local uploads file. The URL is then passed to uwp_resizeThumbnailImage() which uses it in PHP image processing functions (getimagesize(), imagecreatefrom*()) that support URL wrappers and perform outbound HTTP requests. This makes it possible for authenticated attackers with subscriber-level access and above to coerce the WordPress server into making arbitrary HTTP requests to attacker-controlled or internal network destinations, enabling internal network scanning and potential access to sensitive services.","modified":"2026-07-15T01:49:01.524750508Z","published":"2026-04-11T01:25:00.447Z","database_specific":{"cna_assigner":"Wordfence","cwe_ids":["CWE-918"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/4xxx/CVE-2026-4979.json"},"references":[{"type":"WEB","url":"https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.55/includes/class-forms.php#L198"},{"type":"WEB","url":"https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.55/includes/helpers/misc.php#L136"},{"type":"WEB","url":"https://plugins.trac.wordpress.org/browser/userswp/trunk/includes/class-forms.php#L198"},{"type":"WEB","url":"https://plugins.trac.wordpress.org/browser/userswp/trunk/includes/helpers/misc.php#L136"},{"type":"WEB","url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/9cd2b3fd-1bca-4611-9753-ccb57b0e36a4?source=cve"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/4xxx/CVE-2026-4979.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-4979"},{"type":"FIX","url":"https://github.com/AyeCode/userswp/commit/ca0c81b9c76a26c5ac78a8f3604cf9122a7a4aa1"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ayecode/userswp","events":[{"introduced":"0"},{"fixed":"ca0c81b9c76a26c5ac78a8f3604cf9122a7a4aa1"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"last_affected":"1.2.58"}],"source":["AFFECTED_FIELD","REFERENCES"]}}],"versions":["1.2.3.11","1.2.3.10","1.2.3.9","1.2.3.8","1.2.3.7","1.2.3.6","1.2.3.5","1.2.3.4","1.2.3.3","1.2.3.2","1.2.3.1","1.2.3","1.2.2.37","1.2.2.36","1.2.2.35","1.2.2.34","1.2.2.33","1.2.2.32","1.2.2.31","1.2.2.30","1.2.2.29","1.2.2.28","1.2.2.27","1.2.2.26","1.2.2.25","1.2.2.24","1.2.2.23","1.2.2.22","1.2.2.21","1.2.2.20","1.2.2.19","1.2.2.18","1.2.2.17","1.2.2.16","1.2.2.15","1.2.2.14","1.2.2.13","1.2.2.12","1.2.2.11","1.2.2.10","1.2.2.9","1.2.2.8","1.2.2.7","1.2.2.6","1.2.2.5","1.2.2.4","1.2.2.3","1.2.2.2","1.2.2.1","1.2.2","1.2.1.9","1.2.1.8","1.2.1.7","1.2.1.6","1.2.1.5","1.2.1.4","1.2.1.3","1.2.1.2","1.2.1.1","1.2.1","1.2.0.12","1.2.0.11","1.2.0.10","1.2.0.9","1.2.0.8","1.2.0.7","1.2.0.6","1.2.0.5","1.2.0.4","1.2.0.3","1.2.0.2","1.2.0.1","1.2.0","1.1.3","1.1.2","1.1.1","1.1.0","1.0.24","1.0.23","1.0.22","1.0.21","1.0.20","1.0.19","1.0.18","1.0.17","1.0.16","1.0.15","1.0.14","1.0.13","1.0.12","1.0.10","1.0.11","1.0.9","1.0.8","1.0.7","1.0.6","1.0.5","1.0.4","1.0.3","1.0.2","1.0.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-4979.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"}]}