Skip to main content

WP User Frontend CVE-2026-12406

| EUVDEUVD-2026-42537 MEDIUM
Missing Authorization (CWE-862)
2026-07-09 Wordfence GHSA-mfgw-m4gf-rx9j
5.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
5.3 MEDIUM

Network-reachable AJAX endpoint, no authentication required (nonce extractable by any visitor), integrity-only impact limited to guest-owned files; no confidentiality or availability dimension applies.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 09, 2026 - 08:57 vuln.today
CVE Published
Jul 09, 2026 - 07:55 nvd
MEDIUM 5.3

DescriptionCVE.org

The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.3.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to delete arbitrary media attachments whose post_author is 0, such as guest and registration-form uploads, via the wpuf_file_del AJAX action. This is exploitable by unauthenticated visitors on any site where a WPUF shortcode is rendered on a front-end page, as this causes the valid wpuf_nonce value to be localized into publicly accessible JavaScript objects (wpuf_upload and wpuf_frontend), satisfying the sole access control gate.

AnalysisAI

Authorization bypass in the WP User Frontend (WPUF) WordPress plugin through version 4.3.7 allows unauthenticated visitors to delete guest-uploaded media attachments via the wpuf_file_del AJAX action. The plugin's sole access control gate - a WordPress nonce - is self-defeated: when any WPUF shortcode is rendered on a public front-end page, the nonce value is localized into publicly readable JavaScript objects (wpuf_upload and wpuf_frontend), making it trivially extractable by any browser visitor. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Visit public page with WPUF shortcode
Delivery
Extract wpuf_nonce from page JavaScript
Exploit
Enumerate attachment IDs with post_author=0
Execution
POST to admin-ajax.php with action=wpuf_file_del and nonce
Impact
Delete target guest-uploaded media files

Vulnerability AssessmentAI

Exploitation Three specific conditions must all be true for exploitation: (1) the WP User Frontend plugin is installed and active on the WordPress site; (2) at least one WPUF shortcode is rendered on a publicly accessible front-end page - without this, the wpuf_nonce is never localized into public JavaScript and the sole access control gate cannot be satisfied; (3) target media attachments must have post_author = 0, restricting deletable files to those uploaded by guests or via registration-form flows, not by any authenticated WordPress user. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-assigned CVSS 5.3 (Medium) with AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N accurately reflects the constrained but zero-friction attack path. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker visits any public WordPress page on the target site where a WPUF shortcode (e.g., a guest registration or front-end post submission form) is rendered, then reads the wpuf_nonce value directly from the page's JavaScript context (window.wpuf_upload.nonce). The attacker then iterates attachment IDs starting from low integers and submits POST requests to /wp-admin/admin-ajax.php with action=wpuf_file_del, the extracted nonce, and each target ID, deleting all guest-uploaded media attachments without any account credentials. …
Remediation Update WP User Frontend to the version released after 4.3.7 that incorporates SVN changeset 3578622 (https://plugins.trac.wordpress.org/changeset?reponame=&old=3578622%40wp-user-frontend&new=3578622%40wp-user-frontend) - confirm the current version number in the WordPress plugin directory before updating, as the exact patched release version was not provided in available data. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12406 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy