Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Unauthenticated network access confirmed by description and PR:N; low impact capped at I:L/A:L with no confidentiality exposure per available data.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Broken Access Control in WP User Frontend <= 4.3.7 versions.
AnalysisAI
Broken access control in WP User Frontend plugin for WordPress (versions <= 4.3.7) allows unauthenticated remote attackers to perform restricted actions without authorization. The flaw stems from missing authorization checks (CWE-862) on one or more plugin endpoints, enabling limited integrity and availability impact against affected WordPress installations. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No authentication is required - the CVSS vector PR:N confirms unauthenticated access is sufficient, and the description explicitly labels this an 'Unauthenticated' vulnerability. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 6.5 (Medium) is supported by a vector of AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L, indicating the flaw is trivially reachable over the network with no authentication or user interaction required, which raises real-world concern despite the medium score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated remote attacker identifies a WordPress site running WP User Frontend <= 4.3.7, then sends a crafted HTTP request (AJAX, REST API, or form submission) to a plugin endpoint that lacks authorization checks. The attacker successfully invokes a restricted action - such as creating, modifying, or deleting user-submitted content - without holding any WordPress account or capability, resulting in limited unauthorized data modification or minor service disruption. … |
| Remediation | Site administrators should update the WP User Frontend plugin to a version beyond 4.3.7 immediately; the exact patched release version is not confirmed in the available data - consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/wp-user-frontend/vulnerability/wordpress-wp-user-frontend-plugin-4-3-7-broken-access-control-vulnerability) and the WordPress plugin repository changelog for the confirmed fix version before applying. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Wp User Frontend
View allA missing authorization vulnerability exists in weDevs WP User Frontend plugin through version 4.2.8, allowing attackers
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in weDevs WP User Fro
Missing Authorization vulnerability in weDevs WP User Frontend allows Exploiting Incorrectly Configured Access Control S
Improper access control in WP User Frontend through version 4.2.5 allows authenticated users to modify content they shou
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40105
GHSA-5m7g-c794-p955