CVE-2025-10003
UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP <= 1.2.44 - Authenticated (Subscriber+) SQL InjectionThe UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress plugin for WordPress is vulnerable to time-based SQL Injection via the ‘upload_file_remove’ function and 'htmlvar' parameter in all versions up to, and including, 1.2.44 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
We have discovered 1,061 live websites that are affected by CVE-2025-10003.
Affected Software
| Product |  Userswp |
| Category | Wordpress Plugins |
| Vulnerable Domains | 1,061 live websites (31% of Userswp install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 78 versions ( 85% of all versions) |
Common Weakness Enumeration
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')Details
- Published - Sep 6, 2025
- Updated - Apr 8, 2026
Credits
- Nguyen Ngoc Quang Bach (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2025-10003 United States | 353 websites |
 Germany | 97 websites |
 Italy | 76 websites |
 GB | 68 websites |
 France | 46 websites |
 Spain | 37 websites |
 Russia | 35 websites |
 Poland | 29 websites |
 Australia | 26 websites |
 Canada | 23 websites |
Website Distribution by TLD
Number of websites using CVE-2025-10003| .com | 417 websites |
| .org | 93 websites |
| .it | 52 websites |
| .de | 47 websites |
| .co.uk | 35 websites |
| .net | 31 websites |
| .ru | 28 websites |
| .pl | 24 websites |
| .fr | 19 websites |
| .ca | 17 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2025-10003
Top websites that are affected by CVE-2025-10003. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ***************.org | United States | *,*** | |
| *********.com | United States | **,*** | |
| ********.com | United States | ***,*** | |
| **.today | United States | ***,*** | |
| ******.com | United States | ***,*** | |
| ************.com | United States | ***,*** | |
| *****.org | United States | ***,*** | |
| **********.org | United States | ***,*** | |
| ******.com |  Cyprus | ***,*** | |
| *****************.ca | Canada | ***,*** |
FAQ
CVE-2025-10003 is Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in Userswp
A total of 1,061 websites have been identified as vulnerable to CVE-2025-10003, based on global website indexing conducted by WebTechSurvey.
The Userswp is affected by the CVE-2025-10003 vulnerability.
Userswp versions up to and including 1.2.44 are vulnerable to CVE-2025-10003.
References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/df5ddcc0-7bc2-4895-a07f-0b373802bf36?source=cve
- https://github.com/AyeCode/userswp/pull/850/commits/9d7c694b950b23eda8194c54aeff2f70ab517c3a#diff-33415cffa33da6d2d0a692f7bae398b9cda70959235316b0ffb99d5ce7a5dea5R155
- https://plugins.trac.wordpress.org/log/userswp/