Platform
wordpress
Component
userswp
Fixed in
1.2.49
CVE-2025-67593 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the UsersWP WordPress plugin. This vulnerability allows an attacker to potentially perform unauthorized actions on a user's account if they can trick the user into clicking a malicious link. The vulnerability impacts versions of UsersWP from 0.0.0 through 1.2.48, and a patch is available in version 1.2.49.
A successful CSRF attack could allow an attacker to modify user roles, change passwords, or perform other administrative actions within the WordPress site, all without the user's knowledge or consent. The impact is particularly severe if the attacker can target users with administrative privileges, potentially gaining full control of the website. This vulnerability is similar to other CSRF flaws where user interaction is required, but the potential for unauthorized actions remains significant, especially in environments with shared hosting or where users frequently click on external links.
CVE-2025-67593 was publicly disclosed on 2025-12-09. There is no indication of active exploitation campaigns at this time. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not yet widely available, but the CSRF nature of the vulnerability means that exploitation is relatively straightforward once a suitable attack vector is identified.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-67593 is to immediately upgrade the UsersWP plugin to version 1.2.49 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) with CSRF protection rules. Additionally, ensure that users are educated about the risks of clicking on suspicious links and entering credentials on untrusted websites. After upgrading, verify the fix by attempting to trigger a CSRF attack using a known payload and confirming that the action is blocked.
Update to version 1.2.49, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-67593 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the UsersWP WordPress plugin, allowing attackers to perform unauthorized actions.
You are affected if you are using UsersWP versions 0.0.0 through 1.2.48. Upgrade to 1.2.49 or later to mitigate the risk.
Upgrade the UsersWP plugin to version 1.2.49 or later. Consider WAF rules as a temporary workaround if upgrading is not immediately possible.
There is currently no evidence of active exploitation, but the CSRF nature of the vulnerability means exploitation is possible.
Refer to the UsersWP plugin's official website or WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.