プラットフォーム
wordpress
コンポーネント
userswp
修正版
1.2.54
CVE-2026-25015 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the UsersWP WordPress plugin. A CSRF attack allows an attacker to trick a user into performing actions they didn't intend to, potentially leading to unauthorized modifications or deletions within the plugin's functionality. This vulnerability impacts UsersWP versions from 0.0.0 up to and including 1.2.53. A patch is available in version 1.2.54.
The CSRF vulnerability in UsersWP allows an attacker to execute actions on behalf of an authenticated user without their knowledge. This could include modifying user roles, deleting users, or altering plugin settings. The impact is directly tied to the permissions of the user being impersonated. An attacker could gain administrative access if they can trick an administrator into performing a malicious action. The blast radius is limited to the UsersWP plugin's functionality and the WordPress site itself, but successful exploitation could compromise the entire site if administrative actions are affected.
CVE-2026-25015 was publicly disclosed on 2026-02-03. There are currently no known public exploits or active campaigns targeting this vulnerability. The CVSS score of 4.3 indicates a medium level of severity. It is not listed on the CISA KEV catalog at the time of writing.
WordPress websites utilizing the UsersWP plugin, particularly those with administrator accounts or sensitive user management configurations, are at risk. Shared hosting environments where multiple websites share the same server resources are also potentially vulnerable, as a compromise on one site could lead to attacks targeting others.
• wordpress / composer / npm:
grep -r 'userswp_ajax_nonce' /var/www/html/wp-content/plugins/userswp/• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/userswp/ | grep -i 'referer'disclosure
エクスプロイト状況
EPSS
0.01% (0% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2026-25015 is to immediately upgrade the UsersWP plugin to version 1.2.54 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) with CSRF protection rules to filter out malicious requests. Additionally, ensure that users are educated about the risks of clicking on suspicious links or visiting untrusted websites. While not a direct fix, enabling WordPress's core CSRF protection can offer a layer of defense. After upgrading, verify the plugin's functionality and user roles to ensure no unauthorized changes have occurred.
バージョン 1.2.54、またはそれ以降の修正バージョンにアップデートしてください
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-25015 is a Cross-Site Request Forgery (CSRF) vulnerability affecting UsersWP WordPress plugin versions 0.0.0–1.2.53, allowing attackers to perform unauthorized actions.
You are affected if you are using UsersWP plugin versions 0.0.0 through 1.2.53. Upgrade to 1.2.54 or later to mitigate the risk.
Upgrade the UsersWP plugin to version 1.2.54 or later. Consider implementing a WAF with CSRF protection as an interim measure.
As of now, there are no known public exploits or active campaigns targeting CVE-2026-25015.
Refer to the UsersWP plugin's official website or WordPress plugin repository for the latest advisory and update information.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。