Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Network-reachable AJAX endpoint, no privileges required per description; integrity impact is low as only three specific post fields are modifiable, not full system control.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.7 via the 'wpuf_files_data' parameter due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to overwrite the post_title, post_content, and post_excerpt of any arbitrary post on the site, including posts authored by administrators. Exploitation requires access to any WPUF post submission form; this is achievable by users with no WordPress role, as the wpuf_submit_post AJAX action is gated only by a nonce with no capability check for the downstream post-edit operation.
AnalysisAI
Unauthenticated content tampering in the WP User Frontend WordPress plugin (all versions through 4.3.7) allows any visitor to overwrite the title, body, and excerpt of any post on the site, including posts authored by administrators. The flaw stems from the wpuf_submit_post AJAX action accepting a user-controlled post reference key in the wpuf_files_data parameter without validating whether the requesting user is authorized to edit the target post - a textbook CWE-639 authorization-through-user-controlled-key failure. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The WordPress site must have the WP User Frontend plugin installed and active in a version at or below 4.3.7. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The official CVSS 3.1 score of 5.3 (Medium) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N is technically accurate per metric definitions but understates the operational impact for content-dependent sites. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker identifies a WordPress site running WP User Frontend by locating a public post submission form (the plugin's primary use case). The attacker crafts a POST request to wp-admin/admin-ajax.php with action=wpuf_submit_post, a valid nonce obtained from the public form, and a manipulated wpuf_files_data parameter containing the ID of a target post - such as the site's homepage or a pinned admin article. … |
| Remediation | A patch changeset (revision 3578622) is present in the WordPress plugin Trac repository, indicating a fix has been committed upstream; however, an exact patched release version is not independently confirmed from the available input data. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in User Frontend
View allAuthorization bypass in the WP User Frontend (WPUF) WordPress plugin through version 4.3.7 allows unauthenticated visito
Insecure Direct Object Reference in weDevs WP User Frontend plugin (all versions ≤4.3.1) allows unauthenticated network
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42542
GHSA-33x8-pcvj-97hp