Skip to main content

Wp Frontend Profile CVE-2026-39688

| EUVDEUVD-2026-20379 MEDIUM
Missing Authorization (CWE-862)
2026-04-08 Patchstack GHSA-xxp2-xgc8-48h8
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

3
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20379
Analysis Generated
Apr 08, 2026 - 08:45 vuln.today
CVE Published
Apr 08, 2026 - 08:30 nvd
MEDIUM 5.3

DescriptionCVE.org

Missing Authorization vulnerability in Glowlogix WP Frontend Profile wp-front-end-profile allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Frontend Profile: from n/a through <= 1.3.9.

AnalysisAI

Missing authorization in Glowlogix WP Frontend Profile plugin through version 1.3.9 allows unauthenticated remote attackers to bypass access controls and access restricted user profile information, resulting in limited information disclosure. The vulnerability stems from incorrectly configured access control security levels in the plugin's frontend profile functionality. While CVSS is rated 5.3 (medium) and EPSS probability is very low at 0.02%, CISA SSVC assessment indicates exploitation is automatable, elevating real-world risk for affected WordPress installations running this plugin.

Technical ContextAI

WP Frontend Profile is a WordPress plugin (cpe:2.3:a:glowlogix:wp_frontend_profile) that manages user-facing profile pages and associated data. The vulnerability is rooted in CWE-862 (Missing Authorization), a classic access control flaw where the plugin fails to properly validate whether a requester has permission to access specific resources. The CVSS vector confirms this is a network-accessible vulnerability (AV:N, AC:L, PR:N, UI:N) requiring no user interaction, meaning the authorization checks are likely missing or bypassed at the API or function level rather than enforced through WordPress nonce verification or capability checks. The automatable nature (per SSVC) suggests the flaw can be exploited programmatically without complex manipulation.

RemediationAI

Upgrade WP Frontend Profile to a patched version released after 1.3.9 if available from the vendor, or disable the plugin immediately if no patched version is available. Administrators should navigate to WordPress admin panel, go to Plugins, and either update the plugin if a newer version is available or deactivate and remove it. In the interim, web application firewalls (WAF) or WordPress security plugins can implement access control rules to block unauthenticated requests to sensitive profile endpoints. Consult the vendor advisory at https://patchstack.com/database/Wordpress/Plugin/wp-front-end-profile for the latest patch release and deployment guidance.

Share

CVE-2026-39688 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy