Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in weDevs WP User Frontend wp-user-frontend allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP User Frontend: from n/a through <= 4.2.5.
AnalysisAI
Improper access control in WP User Frontend through version 4.2.5 allows authenticated users to modify content they should not have permission to access. An attacker with valid WordPress credentials could exploit misconfigured security levels to gain unauthorized write access to restricted resources without requiring additional user interaction.
Technical ContextAI
WP User Frontend is a WordPress plugin (CPE: cpe:2.3:a:wedevs:wp_user_frontend:*:*:*:*:*:*:*:*) that provides frontend user management and form-building capabilities for WordPress. The vulnerability is classified under CWE-862 (Missing Authorization), which indicates the application fails to perform proper authorization checks before granting access to protected resources or operations. Rather than a cryptographic or authentication protocol issue, this is an access control logic flaw where the plugin's security checks do not properly verify that the requesting user possesses the necessary permissions or roles before executing sensitive operations. This type of vulnerability typically manifests when capability checks are missing, improperly scoped, or incorrectly implemented in WordPress action/filter hooks or API endpoints.
RemediationAI
Immediately upgrade WP User Frontend to a patched version beyond 4.2.5, following the official weDevs release notes and security advisories. Until an upgrade is available or feasible, implement WordPress capability checks at the server level by restricting plugin functionality through role-based access controls via WordPress's user role and capability system, and consider disabling the plugin entirely if it handles sensitive user data or administrative functions. Monitor WordPress security advisory channels and Patchstack for patch release notifications, and review plugin file permissions to ensure only authorized users and processes can interact with plugin functions. The Patchstack advisory should be consulted for specific technical details and patching guidance: https://patchstack.com/database/Wordpress/Plugin/wp-user-frontend/vulnerability/wordpress-wp-user-frontend-plugin-4-2-5-broken-access-control-vulnerability?_s_id=cve.
More in Wp User Frontend
View allA missing authorization vulnerability exists in weDevs WP User Frontend plugin through version 4.2.8, allowing attackers
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in weDevs WP User Fro
Missing Authorization vulnerability in weDevs WP User Frontend allows Exploiting Incorrectly Configured Access Control S
Broken access control in WP User Frontend plugin for WordPress (versions <= 4.3.7) allows unauthenticated remote attacke
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15561
GHSA-vwq3-xp85-fqfh