CVE-2026-1565
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2Description
The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the 'WPUF_Admin_Settings::check_filetype_and_ext' function and in the 'Admin_Tools::check_filetype_and_ext' function in all versions up to, and including, 4.2.8. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Analysis
Arbitrary file upload in User Frontend plugin for WordPress (versions up to 4.2.8) allows authenticated users with Author-level privileges to bypass file type validation and upload malicious files to the server. This can lead to remote code execution if an attacker uploads executable files to web-accessible directories. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Disable the User Frontend plugin immediately and audit recent file uploads for suspicious activity. Within 7 days: Contact the plugin vendor for patch availability; if unavailable, evaluate alternative plugins or implement network-level file upload restrictions. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today