The WP User Frontend plugin is affected by a missing capability check in the 'Frontend_Form_Ajax::submit_post' function, allowing attackers to delete attachments without authentication. This flaw means a malicious actor could permanently remove media files attached to posts or user profiles, disrupting content availability and potentially erasing critical evidence or assets. The weakness corresponds to CWE-862, reflecting an authorization failure within the application.

The vulnerability exists in all releases of the WP User Frontend plugin up to and including version 4.2.4 distributed by WeDevs. WordPress sites that install this plugin and expose the associated AJAX endpoint are susceptible to the issue. Users who rely on the frontend form submission feature for content posting, user registration, or profile management are directly impacted.

The calculated CVSS severity of 5.3 reflects moderate impact; the EPSS score of less than 1% indicates a low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is a web-based request to the unsecured AJAX action that triggers the deletion logic. Successful exploitation would require sending the appropriate POST payload to the endpoint, which could be automated, but no special local privilege or network segmentation is needed.