CVE-2026-2233

MEDIUM

User Frontend WordPress Plugin <=4.2.8 - Auth Bypass

Title source: llm

Description

The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the draft_post() function in all versions up to, and including, 4.2.8. This makes it possible for unauthenticated attackers to modify arbitrary posts (e.g. unpublish published posts and overwrite the contents) via the 'post_id' parameter.

References (2)

Core 2

Core References

Product

https://plugins.trac.wordpress.org/changeset/3468395/wp-user-frontend

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/e0a278a3-f229-4673-8b3e-5b68f383dcc7?source=cve

Scores

CVSS v3 5.3

EPSS 0.0019

EPSS Percentile 9.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-862

Status published

Products (1)

wedevs/User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration < 4.2.8

Published Mar 16, 2026

Tracked Since Mar 16, 2026