Description
The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the draft_post() function in all versions up to, and including, 4.2.8. This makes it possible for unauthenticated attackers to modify arbitrary posts (e.g. unpublish published posts and overwrite the contents) via the 'post_id' parameter.
Published: 2026-03-15
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Data Modification
Action: Immediate Patch
AI Analysis

Impact

The User Frontend plugin for WordPress (wedevs) contains a missing capability check within the draft_post() function in all releases up to version 4.2.8. Due to this omission, any user, including those not authenticated, can send requests that alter posts by specifying a post_id value. This allows attackers to change post content, unpublish posts, or overwrite existing data. The flaw is categorized as CWE‑862, representing a missing authorization weakness.

Affected Systems

All installations of the WordPress plugin "User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration" from wedevs that run version 4.2.8 or earlier are affected. No specific fixed version is mentioned in the CVE data, so any deployment of these or older versions is considered vulnerable.

Risk and Exploitability

The CVSS score is 5.3, indicating moderate severity. The EPSS score is reported as less than 1 %, suggesting a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Attackers would need only to craft an HTTP request containing a valid post_id parameter and submit it to the plugin’s draft_post endpoint; no authentication is required. While the likelihood of exploitation appears low, the potential impact of content tampering or removal warrants immediate attention.

Generated by OpenCVE AI on March 16, 2026 at 23:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the User Frontend plugin to the latest available release that addresses the missing authorization check.
  • If an update cannot be applied immediately, deactivate or delete the plugin to prevent unauthorized post modifications.
  • Monitor site logs and audit post content for unintended changes to maintain content integrity.

Generated by OpenCVE AI on March 16, 2026 at 23:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Wedevs
Wedevs user Frontend Ai Powered Frontend Posting, User Directory, Profile, Membership & User Registration
Wordpress
Wordpress wordpress
Vendors & Products Wedevs
Wedevs user Frontend Ai Powered Frontend Posting, User Directory, Profile, Membership & User Registration
Wordpress
Wordpress wordpress

Sun, 15 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Description The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the draft_post() function in all versions up to, and including, 4.2.8. This makes it possible for unauthenticated attackers to modify arbitrary posts (e.g. unpublish published posts and overwrite the contents) via the 'post_id' parameter.
Title User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration <= 4.2.8 - Missing Authorization to Unauthenticated Arbitrary Post Modification via 'post_id' Parameter
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wedevs User Frontend Ai Powered Frontend Posting, User Directory, Profile, Membership & User Registration
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-03-16T19:12:15.863Z

Reserved: 2026-02-09T03:06:29.893Z

Link: CVE-2026-2233

cve-icon Vulnrichment

Updated: 2026-03-16T19:11:26.891Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-16T14:19:28.950

Modified: 2026-03-16T14:53:07.390

Link: CVE-2026-2233

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T13:39:00Z

Weaknesses