Skip to main content

Wp User Frontend EUVDEUVD-2026-15829

| CVE-2026-32485 HIGH
Missing Authorization (CWE-862)
2026-03-25 Patchstack GHSA-x8fc-w2q6-x22j
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

4
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15829
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
HIGH 7.5

DescriptionCVE.org

Missing Authorization vulnerability in weDevs WP User Frontend wp-user-frontend allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP User Frontend: from n/a through <= 4.2.8.

AnalysisAI

A missing authorization vulnerability exists in weDevs WP User Frontend plugin through version 4.2.8, allowing attackers to bypass access control checks and perform unauthorized actions. The vulnerability stems from incorrectly configured access control security levels (CWE-862: Missing Authorization), enabling attackers with varying privilege levels to access or modify restricted functionality. All installations of WP User Frontend up to and including version 4.2.8 are vulnerable, and immediate patching is strongly recommended.

Technical ContextAI

WP User Frontend is a WordPress plugin (CPE: cpe:2.3:a:wedevs:wp_user_frontend:*:*:*:*:*:*:*:*) that provides user-facing form building and frontend submission capabilities for WordPress sites. The vulnerability is classified as CWE-862 (Missing Authorization), a fundamental access control defect where the application fails to properly verify that users have permission to perform specific actions. This occurs when authorization checks are missing, incorrectly implemented, or insufficiently enforced at critical application entry points. In the context of WP User Frontend, this likely affects form submission handlers, user data modification endpoints, or administrative functions that should be restricted based on user roles and capabilities but instead permit unauthorized access due to broken access control logic.

RemediationAI

Immediately update WP User Frontend to the latest patched version released after 4.2.8. Visit the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/wp-user-frontend/vulnerability/wordpress-wp-user-frontend-plugin-4-2-8-broken-access-control-vulnerability) to confirm the patch version and install via the WordPress plugin dashboard (Plugins > Installed Plugins > Update). As a temporary mitigation pending patch deployment, restrict direct HTTP access to the plugin's form submission endpoints using a Web Application Firewall (WAF) configured to enforce role-based access policies. Additionally, audit user roles and capabilities in WordPress to ensure the principle of least privilege is applied, and consider disabling the plugin entirely until patching is feasible if deployment is non-critical.

Share

EUVD-2026-15829 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy