Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in Glowlogix WP Frontend Profile wp-front-end-profile allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Frontend Profile: from n/a through <= 1.3.9.
AnalysisAI
Missing authorization in Glowlogix WP Frontend Profile plugin through version 1.3.9 allows unauthenticated remote attackers to bypass access controls and access restricted user profile information, resulting in limited information disclosure. The vulnerability stems from incorrectly configured access control security levels in the plugin's frontend profile functionality. While CVSS is rated 5.3 (medium) and EPSS probability is very low at 0.02%, CISA SSVC assessment indicates exploitation is automatable, elevating real-world risk for affected WordPress installations running this plugin.
Technical ContextAI
WP Frontend Profile is a WordPress plugin (cpe:2.3:a:glowlogix:wp_frontend_profile) that manages user-facing profile pages and associated data. The vulnerability is rooted in CWE-862 (Missing Authorization), a classic access control flaw where the plugin fails to properly validate whether a requester has permission to access specific resources. The CVSS vector confirms this is a network-accessible vulnerability (AV:N, AC:L, PR:N, UI:N) requiring no user interaction, meaning the authorization checks are likely missing or bypassed at the API or function level rather than enforced through WordPress nonce verification or capability checks. The automatable nature (per SSVC) suggests the flaw can be exploited programmatically without complex manipulation.
RemediationAI
Upgrade WP Frontend Profile to a patched version released after 1.3.9 if available from the vendor, or disable the plugin immediately if no patched version is available. Administrators should navigate to WordPress admin panel, go to Plugins, and either update the plugin if a newer version is available or deactivate and remove it. In the interim, web application firewalls (WAF) or WordPress security plugins can implement access control rules to block unauthenticated requests to sensitive profile endpoints. Consult the vendor advisory at https://patchstack.com/database/Wordpress/Plugin/wp-front-end-profile for the latest patch release and deployment guidance.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20379
GHSA-xxp2-xgc8-48h8