Skip to main content

WP User Frontend EUVDEUVD-2026-40105

| CVE-2026-57334 MEDIUM
Missing Authorization (CWE-862)
2026-06-29 Patchstack GHSA-5m7g-c794-p955
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
vuln.today AI
6.5 MEDIUM

Unauthenticated network access confirmed by description and PR:N; low impact capped at I:L/A:L with no confidentiality exposure per available data.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 29, 2026 - 15:22 vuln.today

DescriptionCVE.org

Unauthenticated Broken Access Control in WP User Frontend <= 4.3.7 versions.

AnalysisAI

Broken access control in WP User Frontend plugin for WordPress (versions <= 4.3.7) allows unauthenticated remote attackers to perform restricted actions without authorization. The flaw stems from missing authorization checks (CWE-862) on one or more plugin endpoints, enabling limited integrity and availability impact against affected WordPress installations. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Send unauthenticated HTTP request to WP User Frontend endpoint
Exploit
Bypass missing authorization check (CWE-862)
Execution
Access restricted plugin functionality
Impact
Perform unauthorized data modification or trigger availability disruption

Vulnerability AssessmentAI

Exploitation No authentication is required - the CVSS vector PR:N confirms unauthenticated access is sufficient, and the description explicitly labels this an 'Unauthenticated' vulnerability. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 6.5 (Medium) is supported by a vector of AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L, indicating the flaw is trivially reachable over the network with no authentication or user interaction required, which raises real-world concern despite the medium score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated remote attacker identifies a WordPress site running WP User Frontend <= 4.3.7, then sends a crafted HTTP request (AJAX, REST API, or form submission) to a plugin endpoint that lacks authorization checks. The attacker successfully invokes a restricted action - such as creating, modifying, or deleting user-submitted content - without holding any WordPress account or capability, resulting in limited unauthorized data modification or minor service disruption. …
Remediation Site administrators should update the WP User Frontend plugin to a version beyond 4.3.7 immediately; the exact patched release version is not confirmed in the available data - consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/wp-user-frontend/vulnerability/wordpress-wp-user-frontend-plugin-4-3-7-broken-access-control-vulnerability) and the WordPress plugin repository changelog for the confirmed fix version before applying. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-40105 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy