The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable because the functions WPUF_Admin_Settings::check_filetype_and_ext and Admin_Tools::check_filetype_and_ext perform incorrect file type validation. This allows an authenticated user with Author-level permissions or higher to upload arbitrary files to the server. By uploading a malicious file such as a PHP script or web shell, a threat actor can potentially execute code on the system. The flaw is classified as CWE-434, uncategorized file upload.

WordPress sites that have installed any version of the plugin up to and including 4.2.8 are affected. This includes deployments that have the wedevs:User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin active. Administrators, editors, or any user with Author role can exploit the flaw.

The CVSS score of 8.8 indicates a high severity vulnerability, while the EPSS score of less than 1% suggests a very low probability of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires only that an attacker obtain Author-level or higher access to the site, a privilege level commonly granted to site contributors. The attacker can then use the plugin’s upload interface to place a crafted file onto the server, potentially leading to remote code execution. The attack vector is likely local through the WordPress admin interface and does not require external network exposure.