CVE-2025-9344
UsersWP <= 1.2.42 - Authenticated (Contributor+) Stored Cross-Site ScriptingThe UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'uwp_profile' and 'uwp_profile_header' shortcodes in all versions up to, and including, 1.2.42 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
We have discovered 1,011 live websites that are affected by CVE-2025-9344.
Affected Software
| Product |  Userswp |
| Category | Wordpress Plugins |
| Vulnerable Domains | 1,011 live websites (29% of Userswp install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 76 versions ( 83% of all versions) |
Common Weakness Enumeration
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')Details
- Published - Aug 28, 2025
- Updated - Apr 8, 2026
Credits
- Matthew Rollings (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2025-9344 United States | 322 websites |
 Germany | 95 websites |
 Italy | 74 websites |
 GB | 67 websites |
 France | 44 websites |
 Spain | 36 websites |
 Russia | 35 websites |
 Poland | 28 websites |
 Australia | 25 websites |
 Canada | 22 websites |
Website Distribution by TLD
Number of websites using CVE-2025-9344| .com | 390 websites |
| .org | 84 websites |
| .it | 51 websites |
| .de | 45 websites |
| .co.uk | 35 websites |
| .net | 31 websites |
| .ru | 28 websites |
| .pl | 23 websites |
| .fr | 19 websites |
| .ca | 17 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2025-9344
Top websites that are affected by CVE-2025-9344. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ***************.org | United States | *,*** | |
| *********.com | United States | **,*** | |
| ********.com | United States | ***,*** | |
| **.today | United States | ***,*** | |
| ******.com | United States | ***,*** | |
| ************.com | United States | ***,*** | |
| *****.org | United States | ***,*** | |
| **********.org | United States | ***,*** | |
| ******.com |  Cyprus | ***,*** | |
| *****************.ca | Canada | ***,*** |
FAQ
CVE-2025-9344 is Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Userswp
A total of 1,011 websites have been identified as vulnerable to CVE-2025-9344, based on global website indexing conducted by WebTechSurvey.
The Userswp is affected by the CVE-2025-9344 vulnerability.
Userswp versions up to and including 1.2.42 are vulnerable to CVE-2025-9344.
References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/0ecba857-03d8-4a2e-9450-146d442f5533?source=cve
- https://github.com/AyeCode/userswp/commit/2e18c3f70a3f24f4f4ef2ec44d38fda82866c902
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3349701%40userswp&new=3349701%40userswp&sfp_email=&sfph_mail=