Skip to main content

WP User Frontend EUVDEUVD-2026-42229

| CVE-2026-5459 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-07-08 Wordfence GHSA-q9g5-gj6c-j62w
5.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
5.3 MEDIUM

Unauthenticated network endpoint with no special conditions; impact is limited to subscription integrity manipulation with no confidentiality or availability effects.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 08, 2026 - 13:23 vuln.today
CVE Published
Jul 08, 2026 - 12:33 nvd
MEDIUM 5.3

DescriptionCVE.org

The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.1 via the payment_page() function due to missing validation on the 'user_id' user controlled key. This makes it possible for unauthenticated attackers to activate a free subscription pack for any user on the site, overwriting their existing paid subscription and causing loss of paid features.

AnalysisAI

Insecure Direct Object Reference in weDevs WP User Frontend plugin (all versions ≤4.3.1) allows unauthenticated network attackers to activate a free subscription tier on behalf of any registered WordPress user by supplying an arbitrary user_id to the payment_page() function, silently overwriting existing paid subscriptions and revoking premium access. The root cause is a missing authorization check on a user-controlled key (CWE-639), and because WordPress user IDs are sequential integers trivially enumerable via the REST API, this is exploitable at scale with no authentication or user interaction. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site running WP User Frontend ≤4.3.1
Delivery
Enumerate registered user IDs via WordPress REST API
Exploit
Craft HTTP request to payment_page() with target user_id
Execution
Submit unauthenticated request with no session required
Persist
Free subscription activated server-side
Impact
Victim's paid subscription overwritten, premium features revoked

Vulnerability AssessmentAI

Exploitation The WordPress site must be running WP User Frontend version 4.3.1 or earlier with the plugin's paid subscription or membership billing feature actively configured - the payment_page() function is the specific vulnerable entry point and is most impactful when paid tiers exist to overwrite. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 5.3 Medium (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) accurately characterizes the attack profile - unauthenticated, low-complexity, network-accessible exploitation with bounded integrity impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker scripts a loop against a target WordPress site, enumerating user IDs via the public REST API endpoint /wp-json/wp/v2/users, then sends unauthenticated HTTP requests to the payment_page() function with each discovered user_id, triggering free subscription activation for every identified account. Paid subscribers find their premium access revoked without warning, generating support tickets and potential chargebacks. …
Remediation An upstream fix has been committed to the WordPress plugin repository via changeset 3514258 (https://plugins.trac.wordpress.org/changeset/3514258/wp-user-frontend), which introduces proper authorization validation to the payment_page() function. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-42229 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy