Skip to main content

Wp User Frontend CVE-2026-24364

| EUVDEUVD-2026-15561 MEDIUM
Missing Authorization (CWE-862)
2026-03-25 Patchstack GHSA-vwq3-xp85-fqfh
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15561
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
MEDIUM 6.5

DescriptionCVE.org

Missing Authorization vulnerability in weDevs WP User Frontend wp-user-frontend allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP User Frontend: from n/a through <= 4.2.5.

AnalysisAI

Improper access control in WP User Frontend through version 4.2.5 allows authenticated users to modify content they should not have permission to access. An attacker with valid WordPress credentials could exploit misconfigured security levels to gain unauthorized write access to restricted resources without requiring additional user interaction.

Technical ContextAI

WP User Frontend is a WordPress plugin (CPE: cpe:2.3:a:wedevs:wp_user_frontend:*:*:*:*:*:*:*:*) that provides frontend user management and form-building capabilities for WordPress. The vulnerability is classified under CWE-862 (Missing Authorization), which indicates the application fails to perform proper authorization checks before granting access to protected resources or operations. Rather than a cryptographic or authentication protocol issue, this is an access control logic flaw where the plugin's security checks do not properly verify that the requesting user possesses the necessary permissions or roles before executing sensitive operations. This type of vulnerability typically manifests when capability checks are missing, improperly scoped, or incorrectly implemented in WordPress action/filter hooks or API endpoints.

RemediationAI

Immediately upgrade WP User Frontend to a patched version beyond 4.2.5, following the official weDevs release notes and security advisories. Until an upgrade is available or feasible, implement WordPress capability checks at the server level by restricting plugin functionality through role-based access controls via WordPress's user role and capability system, and consider disabling the plugin entirely if it handles sensitive user data or administrative functions. Monitor WordPress security advisory channels and Patchstack for patch release notifications, and review plugin file permissions to ensure only authorized users and processes can interact with plugin functions. The Patchstack advisory should be consulted for specific technical details and patching guidance: https://patchstack.com/database/Wordpress/Plugin/wp-user-frontend/vulnerability/wordpress-wp-user-frontend-plugin-4-2-5-broken-access-control-vulnerability?_s_id=cve.

Share

CVE-2026-24364 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy