WeDevs WP User Frontend
Moderate fix1 remedy
cpe:2.3:a:wedevs:wp_user_frontend:*:*:*:*:wordpress:*:*
Moderate fix1 remedy
- <= 4.2.4
WP User Frontend Missing Capability Check Allows Unauthenticated Attachment Deletion Vulnerability
Vulnerability
Patched
A vulnerability exists in the WP User Frontend plugin for WordPress, specifically in versions through 4.2.4. The issue arises from a missing capability check in the 'submit_post' function, which allows unauthenticated users to delete attachments. This unauthorized data loss is facilitated by the plugin's handling of AJAX requests, where the absence of proper authorization checks enables the exploitation of attachment deletion features.
Impact
Exploitation of this vulnerability leads to unauthorized deletion of attachments.
Reproduction
To reproduce this vulnerability, send a request to the 'wpuf_submit_post' AJAX action without authentication. Include the 'delete_attachments' parameter with the IDs of the attachments to be deleted. The request will bypass authorization checks and delete the specified attachments.
Remediation
Users are advised to update the WP User Frontend plugin to version 4.2.5 or later, where this vulnerability has been patched.
Added: Jan 2, 2026, 3:23 AM
Updated: Jan 2, 2026, 3:23 AM
Vulnerability Rating
Custom Algorithm
spread
5.2impact
0.0exploitability
9.3remediation
7.7relevance
1.8threat
4.8urgency
2.9incentive
10.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.