Description
Missing Authorization vulnerability in weDevs WP User Frontend wp-user-frontend allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP User Frontend: from n/a through <= 4.2.8.
Published: 2026-03-25
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access via Broken Access Control
Action: Immediate Patch
AI Analysis

Impact

A missing authorization check in the WP User Frontend plugin allows an attacker to exploit incorrectly configured access control security levels, giving unauthorized access to protected plugin features or data. The flaw is defined as CWE-862 and can lead to data disclosure or modification if the attacker succeeds.

Affected Systems

All installations of the weDevs WP User Frontend plugin from the earliest releases through version 4.2.8 are affected. WordPress sites that use any of these plugin versions are vulnerable to the broken access control. The plugin is widely used for front‑end user management.

Risk and Exploitability

The vulnerability has a CVSS score of 7.5, indicating moderate‑to‑high severity, and an EPSS score of less than 1%, suggesting a low probability of current exploitation. It is not listed in the CISA KEV catalog. The likely attack vector is remote via the web; an attacker only needs network access to the WordPress site and the ability to interact with the front‑end interface. No public exploit code is reported, but the simple missing check could be leveraged with a custom script.

Generated by OpenCVE AI on March 26, 2026 at 21:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WP User Frontend to a version newer than 4.2.8 when it becomes available
  • If an update is not yet available, restrict the plugin’s functionality by removing incorrect permission levels or disabling front‑end access until a patch is released
  • Monitor the plugin’s official website and security advisories for any CVE‑2026‑32485 related patches

Generated by OpenCVE AI on March 26, 2026 at 21:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Wedevs
Wedevs wp User Frontend
Wordpress
Wordpress wordpress
Vendors & Products Wedevs
Wedevs wp User Frontend
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in weDevs WP User Frontend wp-user-frontend allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP User Frontend: from n/a through <= 4.2.8.
Title WordPress WP User Frontend plugin <= 4.2.8 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Wedevs Wp User Frontend
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-26T19:06:17.049Z

Reserved: 2026-03-12T11:11:55.348Z

Link: CVE-2026-32485

cve-icon Vulnrichment

Updated: 2026-03-26T19:00:03.993Z

cve-icon NVD

Status : Deferred

Published: 2026-03-25T17:16:59.593

Modified: 2026-04-24T16:35:20.070

Link: CVE-2026-32485

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:31:10Z

Weaknesses