User Frontend
Approved changes feed: RSS · Atom
cpe:2.3:a:wedevs:user_frontend:_ai_powered_frontend_posting,_user_directory,_profile,_membership_&_user_registration:*:*:*:*:*:*:*:*
part: a version: _ai_powered_frontend_posting,_user_directory,_profile,_membership_&_user_registration update: *
| Vendor | Wedevs (74af2ef9-c755-5b07-93a2-5a3afa051904) |
|---|---|
| Product | User Frontend (877a484f-f837-58da-8ced-ede67b9f30fc) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from gcve-enriched-dumps CVE data |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
| No PURL mappings for this CPE yet. | ||
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2026-5127 |
vulnerable | 2026-06-03 15:26:26.597415 |
User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration <= 4.3.1 - Authenticated (Subscriber+) PHP Object Injection
HIGH (8.8)
The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to Deserialization of Untrusted Data in versions up to, and including, 4.3.1 This is due to insufficient input validation and type checking on the wpuf_files parameter during form submission, combined with unconditional deserialization via maybe_unserialize() when displaying post content. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary PHP objects, which can be leveraged to execute arbitrary code, delete arbitrary files, or perform other malicious actions if a POP chain is present on the target system.
Published: 2026-05-08T08:26:32.725Z
Updated: 2026-05-08T20:00:10.551Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-2233 |
vulnerable | 2026-06-03 15:19:23.805096 |
User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration <= 4.2.8 - Missing Authorization to Unauthenticated Arbitrary Post Modification via 'post_id' Parameter
MEDIUM (5.3)
The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the draft_post() function in all versions up to, and including, 4.2.8. This makes it possible for unauthenticated attackers to modify arbitrary posts (e.g. unpublish published posts and overwrite the contents) via the 'post_id' parameter.
Published: 2026-03-15T02:19:14.723Z
Updated: 2026-04-08T17:28:44.765Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-1565 |
vulnerable | 2026-06-03 15:14:44.655722 |
User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration <= 4.2.8 - Authenticated (Author+) Arbitrary File Upload
HIGH (8.8)
The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the 'WPUF_Admin_Settings::check_filetype_and_ext' function and in the 'Admin_Tools::check_filetype_and_ext' function in all versions up to, and including, 4.2.8. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Published: 2026-02-26T19:23:09.638Z
Updated: 2026-04-08T16:43:50.370Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-14047 |
vulnerable | 2026-06-03 14:58:54.383912 |
WP User Frontend <= 4.2.4 - Missing Authorization to Unauthenticated Arbitrary Attachment Deletion
MEDIUM (5.3)
The Registration, User Profile, Membership, Content Restriction, User Directory, and Frontend Post Submission – WP User Frontend plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'Frontend_Form_Ajax::submit_post' function in all versions up to, and including, 4.2.4. This makes it possible for unauthenticated attackers to delete attachment.
Published: 2026-01-02T01:48:19.898Z
Updated: 2026-04-08T16:59:43.442Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.