Description
The Front End Users plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the file uploads field of the registration form in all versions up to, and including, 3.2.32. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Published: 2025-04-02
Score: 9.8 Critical
EPSS: 1.5% Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The Front End Users plugin for WordPress allows unauthenticated users to upload arbitrary files because the plugin does not validate file types during the registration form file upload. This flaw enables an attacker to place malicious files on the web server, which may then be executed to compromise the site and achieve remote code execution. The vulnerability is a classic missing file type validation flaw reflected in CWE-434.

Affected Systems

All WordPress installations using the rustaurius Front End Users plugin version 3.2.32 or earlier are affected. The plugin is listed as Front End Users in the Vendor section and appears in the CPE string as etoilewebdesign:front_end_users. Users should identify any site that has this plugin installed and check the version number.

Risk and Exploitability

The CVSS score of 9.8 marks the flaw as Critical, and the EPSS score of 1% indicates it is occasionally exploited in the wild. Because the attack does not require authentication and can be performed through the publicly visible registration form, the likely attack path is a direct HTTP POST to the upload field. The vulnerability is not currently listed in the CISA KEV catalog, but the high severity warrants immediate attention.

Generated by OpenCVE AI on April 22, 2026 at 17:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Front End Users plugin to a version newer than 3.2.32, ensuring the file type validation patch is applied.
  • Disable or remove the plugin’s file upload feature if an immediate update is not possible, thereby eliminating the vulnerable input vector.
  • Configure the web server or application firewall to reject disallowed MIME types and prevent execution of files uploaded to the site’s upload directory.

Generated by OpenCVE AI on April 22, 2026 at 17:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9551 The Front End Users plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the file uploads field of the registration form in all versions up to, and including, 3.2.32. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
History

Wed, 08 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
References

Wed, 08 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
References

Tue, 12 Aug 2025 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Etoilewebdesign
Etoilewebdesign front End Users
CPEs cpe:2.3:a:etoilewebdesign:front_end_users:*:*:*:*:*:wordpress:*:*
Vendors & Products Etoilewebdesign
Etoilewebdesign front End Users

Wed, 02 Apr 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 02 Apr 2025 09:45:00 +0000

Type Values Removed Values Added
Description The Front End Users plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the file uploads field of the registration form in all versions up to, and including, 3.2.32. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Title Front-End-Only-Users <= 3.2.32 - Unauthenticated Arbitrary File Upload
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Etoilewebdesign Front End Users
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:35:54.757Z

Reserved: 2025-03-05T21:15:46.177Z

Link: CVE-2025-2005

cve-icon Vulnrichment

Updated: 2025-04-02T16:14:30.717Z

cve-icon NVD

Status : Modified

Published: 2025-04-02T10:15:19.117

Modified: 2026-04-08T17:20:35.697

Link: CVE-2025-2005

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T17:45:22Z

Weaknesses