CVE-2026-1644
MEDIUMCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Lifecycle Timeline
2Description
The WP Frontend Profile plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.8. This is due to missing nonce validation on the 'update_action' function. This makes it possible for unauthenticated attackers to approve or reject user account registrations via a forged request granted they can trick an administrator into performing an action such as clicking on a link.
Analysis
The WP Frontend Profile WordPress plugin through version 1.3.8 lacks CSRF protections on the update_action function, enabling unauthenticated attackers to manipulate user registration approvals or rejections by deceiving administrators into clicking malicious links. This allows attackers to perform unauthorized account management actions without authentication, potentially disrupting legitimate user onboarding processes. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems running for WordPress is vulnerable to Cross-Site Request Forgery in and apply vendor patches as part of regular patch cycle. Verify anti-CSRF tokens are enforced.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today