CVE-2025-10003
📋 TL;DR
This vulnerability allows unauthenticated attackers to perform time-based SQL injection attacks against WordPress sites using the UsersWP plugin. Attackers can extract sensitive database information by manipulating the 'htmlvar' parameter. All WordPress sites with UsersWP plugin versions up to 1.2.44 are affected.
💻 Affected Systems
- UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including user credentials, personal data, and administrative access leading to site takeover.
Likely Case
Extraction of sensitive user data (emails, hashed passwords, personal information) and potential privilege escalation.
If Mitigated
Limited information disclosure if database permissions are properly restricted and sensitive data is encrypted.
🎯 Exploit Status
Time-based SQL injection requires careful timing and may be detectable by monitoring tools.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.2.45 or later
Vendor Advisory: https://plugins.trac.wordpress.org/log/userswp/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find UsersWP plugin. 4. Click 'Update Now' if available. 5. If not, download latest version from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable vulnerable functionality
allTemporarily disable file upload removal functionality if not critical
Web Application Firewall rule
allBlock requests containing suspicious SQL patterns in htmlvar parameter
🧯 If You Can't Patch
- Deploy a web application firewall (WAF) with SQL injection protection rules
- Restrict access to affected endpoints using IP whitelisting or authentication
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → UsersWP version numberCheck Version:
wp plugin list --name=userswp --field=versionVerify Fix Applied:
Verify plugin version is 1.2.45 or higher and check the patched code in upload_file_remove function📡 Detection & Monitoring
Log Indicators:
- Unusual long-running database queries
- Multiple requests with htmlvar parameter containing SQL keywords
- 429 or 500 errors from upload_file_remove endpoint
Network Indicators:
- Repeated POST requests to /wp-admin/admin-ajax.php with htmlvar parameter
- Unusual timing patterns in requests (time-based injection)
SIEM Query:
source="web_logs" AND (uri="/wp-admin/admin-ajax.php" AND parameters CONTAINS "htmlvar" AND parameters MATCHES "(?i)(sleep|benchmark|waitfor)")🔗 References
- https://github.com/AyeCode/userswp/pull/850/commits/9d7c694b950b23eda8194c54aeff2f70ab517c3a#diff-33415cffa33da6d2d0a692f7bae398b9cda70959235316b0ffb99d5ce7a5dea5R155
- https://plugins.trac.wordpress.org/log/userswp/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/df5ddcc0-7bc2-4895-a07f-0b373802bf36?source=cve
