Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Network-reachable AJAX endpoint, no authentication required (nonce extractable by any visitor), integrity-only impact limited to guest-owned files; no confidentiality or availability dimension applies.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.3.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to delete arbitrary media attachments whose post_author is 0, such as guest and registration-form uploads, via the wpuf_file_del AJAX action. This is exploitable by unauthenticated visitors on any site where a WPUF shortcode is rendered on a front-end page, as this causes the valid wpuf_nonce value to be localized into publicly accessible JavaScript objects (wpuf_upload and wpuf_frontend), satisfying the sole access control gate.
AnalysisAI
Authorization bypass in the WP User Frontend (WPUF) WordPress plugin through version 4.3.7 allows unauthenticated visitors to delete guest-uploaded media attachments via the wpuf_file_del AJAX action. The plugin's sole access control gate - a WordPress nonce - is self-defeated: when any WPUF shortcode is rendered on a public front-end page, the nonce value is localized into publicly readable JavaScript objects (wpuf_upload and wpuf_frontend), making it trivially extractable by any browser visitor. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Three specific conditions must all be true for exploitation: (1) the WP User Frontend plugin is installed and active on the WordPress site; (2) at least one WPUF shortcode is rendered on a publicly accessible front-end page - without this, the wpuf_nonce is never localized into public JavaScript and the sole access control gate cannot be satisfied; (3) target media attachments must have post_author = 0, restricting deletable files to those uploaded by guests or via registration-form flows, not by any authenticated WordPress user. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-assigned CVSS 5.3 (Medium) with AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N accurately reflects the constrained but zero-friction attack path. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker visits any public WordPress page on the target site where a WPUF shortcode (e.g., a guest registration or front-end post submission form) is rendered, then reads the wpuf_nonce value directly from the page's JavaScript context (window.wpuf_upload.nonce). The attacker then iterates attachment IDs starting from low integers and submits POST requests to /wp-admin/admin-ajax.php with action=wpuf_file_del, the extracted nonce, and each target ID, deleting all guest-uploaded media attachments without any account credentials. … |
| Remediation | Update WP User Frontend to the version released after 4.3.7 that incorporates SVN changeset 3578622 (https://plugins.trac.wordpress.org/changeset?reponame=&old=3578622%40wp-user-frontend&new=3578622%40wp-user-frontend) - confirm the current version number in the WordPress plugin directory before updating, as the exact patched release version was not provided in available data. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in User Frontend
View allUnauthenticated content tampering in the WP User Frontend WordPress plugin (all versions through 4.3.7) allows any visit
Insecure Direct Object Reference in weDevs WP User Frontend plugin (all versions ≤4.3.1) allows unauthenticated network
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42537
GHSA-mfgw-m4gf-rx9j