Skip to main content

WP User Frontend CVE-2026-12418

| EUVDEUVD-2026-42542 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-07-09 Wordfence GHSA-33x8-pcvj-97hp
5.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
5.3 MEDIUM

Network-reachable AJAX endpoint, no privileges required per description; integrity impact is low as only three specific post fields are modifiable, not full system control.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 09, 2026 - 09:03 vuln.today
CVE Published
Jul 09, 2026 - 07:55 nvd
MEDIUM 5.3

DescriptionCVE.org

The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.7 via the 'wpuf_files_data' parameter due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to overwrite the post_title, post_content, and post_excerpt of any arbitrary post on the site, including posts authored by administrators. Exploitation requires access to any WPUF post submission form; this is achievable by users with no WordPress role, as the wpuf_submit_post AJAX action is gated only by a nonce with no capability check for the downstream post-edit operation.

AnalysisAI

Unauthenticated content tampering in the WP User Frontend WordPress plugin (all versions through 4.3.7) allows any visitor to overwrite the title, body, and excerpt of any post on the site, including posts authored by administrators. The flaw stems from the wpuf_submit_post AJAX action accepting a user-controlled post reference key in the wpuf_files_data parameter without validating whether the requesting user is authorized to edit the target post - a textbook CWE-639 authorization-through-user-controlled-key failure. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Locate public WPUF submission form
Delivery
Extract nonce from form page
Exploit
Craft POST to admin-ajax.php with manipulated wpuf_files_data
Execution
Bypass capability check via nonce-only gate
Impact
Overwrite target post title and content

Vulnerability AssessmentAI

Exploitation The WordPress site must have the WP User Frontend plugin installed and active in a version at or below 4.3.7. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The official CVSS 3.1 score of 5.3 (Medium) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N is technically accurate per metric definitions but understates the operational impact for content-dependent sites. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker identifies a WordPress site running WP User Frontend by locating a public post submission form (the plugin's primary use case). The attacker crafts a POST request to wp-admin/admin-ajax.php with action=wpuf_submit_post, a valid nonce obtained from the public form, and a manipulated wpuf_files_data parameter containing the ID of a target post - such as the site's homepage or a pinned admin article. …
Remediation A patch changeset (revision 3578622) is present in the WordPress plugin Trac repository, indicating a fix has been committed upstream; however, an exact patched release version is not independently confirmed from the available input data. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12418 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy