Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Unauthenticated network endpoint with no special conditions; impact is limited to subscription integrity manipulation with no confidentiality or availability effects.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.1 via the payment_page() function due to missing validation on the 'user_id' user controlled key. This makes it possible for unauthenticated attackers to activate a free subscription pack for any user on the site, overwriting their existing paid subscription and causing loss of paid features.
AnalysisAI
Insecure Direct Object Reference in weDevs WP User Frontend plugin (all versions ≤4.3.1) allows unauthenticated network attackers to activate a free subscription tier on behalf of any registered WordPress user by supplying an arbitrary user_id to the payment_page() function, silently overwriting existing paid subscriptions and revoking premium access. The root cause is a missing authorization check on a user-controlled key (CWE-639), and because WordPress user IDs are sequential integers trivially enumerable via the REST API, this is exploitable at scale with no authentication or user interaction. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The WordPress site must be running WP User Frontend version 4.3.1 or earlier with the plugin's paid subscription or membership billing feature actively configured - the payment_page() function is the specific vulnerable entry point and is most impactful when paid tiers exist to overwrite. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 5.3 Medium (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) accurately characterizes the attack profile - unauthenticated, low-complexity, network-accessible exploitation with bounded integrity impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker scripts a loop against a target WordPress site, enumerating user IDs via the public REST API endpoint /wp-json/wp/v2/users, then sends unauthenticated HTTP requests to the payment_page() function with each discovered user_id, triggering free subscription activation for every identified account. Paid subscribers find their premium access revoked without warning, generating support tickets and potential chargebacks. … |
| Remediation | An upstream fix has been committed to the WordPress plugin repository via changeset 3514258 (https://plugins.trac.wordpress.org/changeset/3514258/wp-user-frontend), which introduces proper authorization validation to the payment_page() function. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in User Frontend
View allAuthorization bypass in the WP User Frontend (WPUF) WordPress plugin through version 4.3.7 allows unauthenticated visito
Unauthenticated content tampering in the WP User Frontend WordPress plugin (all versions through 4.3.7) allows any visit
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42229
GHSA-q9g5-gj6c-j62w