The WP Frontend Profile plugin for WordPress contains a CSRF vulnerability in all releases up to and including 1.3.8. The flaw stems from missing nonce validation in the 'update_action' handler, which processes account approval or rejection requests. An attacker can craft a forged request and entice an administrator into clicking a link or submitting a form, causing the targeted user account to be prematurely approved or deliberately rejected. This compromises the integrity of the user registration workflow and could be leveraged to grant unauthorized access or deny legitimate users. The weakness corresponds to CWE‑352. No confidential data is disclosed, but the integrity of account states is directly altered.

The vulnerability affects WordPress installations that have the WP Frontend Profile plugin v1.3.8 or earlier configured. No specific WordPress core or other plugins are listed. Administrators using any of these plugin versions are susceptible.

The CVSS v3.1 score of 4.3 indicates a moderate risk, primarily due to the limited attack scope. The EPSS score is less than 1 %, suggesting low current exploitation likelihood, and the vulnerability is not identified in CISA’s KEV catalog. Exploitation requires the attacker to succeed in social‑engineering the site administrator into executing a forged request; no local or remote code execution is possible. If an administrator follows the malicious link, the plugin will process the approval or rejection without further user input, providing a straightforward attack path. Given the modest severity, the attack remains non‑destructive but can lead to premature account activation which may be leveraged in subsequent attack chains.