GCVE - cpe:2.3:a:wedevs:wp_user_frontend:*:*:*:*:*:wordpress:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:wedevs:wp_user_frontend:*:*:*:*:*:wordpress:*:*

part: a version: * update: *

Vendor	Wedevs (`74af2ef9-c755-5b07-93a2-5a3afa051904`)
Product	Wp User Frontend (`d2a0f906-290c-5cb2-85a2-5d41cf6634c1`)
Edition	*
Language	*
Software edition	*
Target software	wordpress
Target hardware	*
Other	*
Notes	Imported from gcve-enriched-dumps CVE data

PURL mappings

PURL	Source	Last updated
No PURL mappings for this CPE yet.

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2024-38693`	vulnerable	2026-06-03 14:56:19.328255	WordPress WP User Frontend plugin <= 4.0.7 - SQL Injection vulnerability HIGH (7.6) Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in weDevs WP User Frontend allows SQL Injection.This issue affects WP User Frontend: from n/a through 4.0.7. Published: 2024-08-29T14:05:53.853Z Updated: 2026-04-28T16:10:04.726Z Open on db.gcve.eu Reference links https://patchstack.com/database/vulnerability/wp-user-frontend/wordpress-wp-user-frontend-plugin-4-0-7-sql-injection-vulnerability?_s_id=cve	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2023-47682`	vulnerable	2026-06-03 14:53:17.955309	WordPress WP User Frontend plugin <= 3.6.5 - Authenticated Privilege Escalation vulnerability HIGH (7.2) Improper Privilege Management vulnerability in weDevs WP User Frontend allows Privilege Escalation.This issue affects WP User Frontend: from n/a through 3.6.5. Published: 2024-05-17T08:36:12.682Z Updated: 2026-04-28T16:08:50.701Z Open on db.gcve.eu Reference links https://patchstack.com/database/vulnerability/wp-user-frontend/wordpress-wp-user-frontend-plugin-3-6-5-authenticated-privilege-escalation-vulnerability?_s_id=cve	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2021-25076`	vulnerable	2026-06-03 14:44:04.375639	WP User Frontend < 3.5.26 - SQL Injection to Reflected Cross-Site Scripting The WP User Frontend WordPress plugin before 3.5.26 does not validate and escape the status parameter before using it in a SQL statement in the Subscribers dashboard, leading to an SQL injection. Due to the lack of sanitisation and escaping, this could also lead to Reflected Cross-Site Scripting Published: 2022-01-24T08:01:24.000Z Updated: 2024-08-03T19:56:09.883Z Open on db.gcve.eu Reference links https://wpscan.com/vulnerability/6d3eeba6-5560-4380-a6e9-f008a9112ac6 https://plugins.trac.wordpress.org/changeset/2648715 http://packetstormsecurity.com/files/166071/WordPress-WP-User-Frontend-3.5.25-SQL-Injection.html	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2021-24649`	vulnerable	2026-06-03 14:44:03.045386	WP User Frontend < 3.5.29 - Obscure Registration as Admin The WP User Frontend WordPress plugin before 3.5.29 uses a user supplied argument called urhidden in its registration form, which contains the role for the account to be created with, encrypted via wpuf_encryption(). This could allow an attacker having access to the AUTH_KEY and AUTH_SALT constant (via an arbitrary file access issue for example, or if the blog is using the default keys) to create an account with any role they want, such as admin Published: 2022-11-21T00:00:00.000Z Updated: 2025-04-30T13:27:11.190Z Open on db.gcve.eu Reference links https://wpscan.com/vulnerability/9486744e-ab24-44e4-b06e-9e0b4be132e2	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.