Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
4DescriptionCVE.org
Missing Authorization vulnerability in weDevs WP User Frontend wp-user-frontend allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP User Frontend: from n/a through <= 4.2.8.
AnalysisAI
A missing authorization vulnerability exists in weDevs WP User Frontend plugin through version 4.2.8, allowing attackers to bypass access control checks and perform unauthorized actions. The vulnerability stems from incorrectly configured access control security levels (CWE-862: Missing Authorization), enabling attackers with varying privilege levels to access or modify restricted functionality. All installations of WP User Frontend up to and including version 4.2.8 are vulnerable, and immediate patching is strongly recommended.
Technical ContextAI
WP User Frontend is a WordPress plugin (CPE: cpe:2.3:a:wedevs:wp_user_frontend:*:*:*:*:*:*:*:*) that provides user-facing form building and frontend submission capabilities for WordPress sites. The vulnerability is classified as CWE-862 (Missing Authorization), a fundamental access control defect where the application fails to properly verify that users have permission to perform specific actions. This occurs when authorization checks are missing, incorrectly implemented, or insufficiently enforced at critical application entry points. In the context of WP User Frontend, this likely affects form submission handlers, user data modification endpoints, or administrative functions that should be restricted based on user roles and capabilities but instead permit unauthorized access due to broken access control logic.
RemediationAI
Immediately update WP User Frontend to the latest patched version released after 4.2.8. Visit the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/wp-user-frontend/vulnerability/wordpress-wp-user-frontend-plugin-4-2-8-broken-access-control-vulnerability) to confirm the patch version and install via the WordPress plugin dashboard (Plugins > Installed Plugins > Update). As a temporary mitigation pending patch deployment, restrict direct HTTP access to the plugin's form submission endpoints using a Web Application Firewall (WAF) configured to enforce role-based access policies. Additionally, audit user roles and capabilities in WordPress to ensure the principle of least privilege is applied, and consider disabling the plugin entirely until patching is feasible if deployment is non-critical.
More in Wp User Frontend
View allImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in weDevs WP User Fro
Missing Authorization vulnerability in weDevs WP User Frontend allows Exploiting Incorrectly Configured Access Control S
Improper access control in WP User Frontend through version 4.2.5 allows authenticated users to modify content they shou
Broken access control in WP User Frontend plugin for WordPress (versions <= 4.3.7) allows unauthenticated remote attacke
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15829
GHSA-x8fc-w2q6-x22j