Description
The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to Deserialization of Untrusted Data in versions up to, and including, 4.3.1 This is due to insufficient input validation and type checking on the wpuf_files parameter during form submission, combined with unconditional deserialization via maybe_unserialize() when displaying post content. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary PHP objects, which can be leveraged to execute arbitrary code, delete arbitrary files, or perform other malicious actions if a POP chain is present on the target system.
Published: 2026-05-08
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in the User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin allows authenticated users with Subscriber-level access or higher to inject arbitrary PHP objects through the wpuf_files parameter during form submission. This occurs because the plugin performs unconditional deserialization with maybe_unserialize() when rendering post content, and insufficient input validation and type checking permit malicious data. If a PHP Object‑on‑Path (POP) chain is available on the host, the attacker can execute arbitrary code, delete files, and perform other destructive actions.

Affected Systems

The affected product is WeDevs' User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress. Versions up to and including 4.3.1 are vulnerable.

Risk and Exploitability

The CVSS score of 8.8 marks this as a high‑severitiy flaw, and although an EPSS score is not available, the lack of a KEV listing does not diminish the seriousness of the issue. The likely attack vector requires the attacker to be a legitimate user with at least Subscriber capabilities, suggesting the risk is local to users who can log in. Nonetheless, once an authenticated user injects a malicious payload, the downstream POP chain can yield remote code execution and massive damage.

Generated by OpenCVE AI on May 8, 2026 at 10:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the plugin to version 4.3.2 or later to remove the vulnerable deserialization code.
  • If a patch cannot be applied immediately, restrict or remove Subscriber‑level authentication where possible, removing file upload features that rely on the wpuf_files parameter.
  • Conduct a rapid security audit of the site for signs of unauthorized file modifications or code injection, and review user logs for anomalous action by subscriber accounts.

Generated by OpenCVE AI on May 8, 2026 at 10:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.2.10/includes/Ajax/Frontend_Form_Ajax.php#L35 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.2.10/includes/Ajax/Frontend_Form_Ajax.php#L36 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.2.10/includes/Traits/FieldableTrait.php#L429 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.2.10/includes/Traits/FieldableTrait.php#L502 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.2.10/includes/Traits/FieldableTrait.php#L679 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.2.10/includes/Traits/FieldableTrait.php#L704 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.2.10/wpuf-functions.php#L1103 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.2.10/wpuf-functions.php#L959 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/wp-user-frontend/trunk/includes/Ajax/Frontend_Form_Ajax.php#L35 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/wp-user-frontend/trunk/includes/Ajax/Frontend_Form_Ajax.php#L36 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/wp-user-frontend/trunk/includes/Traits/FieldableTrait.php#L429 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/wp-user-frontend/trunk/includes/Traits/FieldableTrait.php#L502 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/wp-user-frontend/trunk/includes/Traits/FieldableTrait.php#L679 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/wp-user-frontend/trunk/includes/Traits/FieldableTrait.php#L704 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/wp-user-frontend/trunk/wpuf-functions.php#L1103 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/wp-user-frontend/trunk/wpuf-functions.php#L959 cve-icon cve-icon
https://plugins.trac.wordpress.org/changeset/3514258/wp-user-frontend/trunk/includes/Traits/FieldableTrait.php cve-icon cve-icon
https://plugins.trac.wordpress.org/changeset?old_path=%2Fwp-user-frontend/tags/4.3.1&new_path=%2Fwp-user-frontend/tags/4.3.2 cve-icon cve-icon
https://www.wordfence.com/threat-intel/vulnerabilities/id/2b5d27cc-c6eb-4c5c-8ee1-30483b91c6fd?source=cve cve-icon cve-icon
History

Fri, 08 May 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Wedevs
Wedevs user Frontend: Ai Powered Frontend Posting, User Directory, Profile, Membership & User Registration
Wordpress
Wordpress wordpress
Vendors & Products Wedevs
Wedevs user Frontend: Ai Powered Frontend Posting, User Directory, Profile, Membership & User Registration
Wordpress
Wordpress wordpress

Fri, 08 May 2026 09:00:00 +0000

Type Values Removed Values Added
Description The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to Deserialization of Untrusted Data in versions up to, and including, 4.3.1 This is due to insufficient input validation and type checking on the wpuf_files parameter during form submission, combined with unconditional deserialization via maybe_unserialize() when displaying post content. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary PHP objects, which can be leveraged to execute arbitrary code, delete arbitrary files, or perform other malicious actions if a POP chain is present on the target system.
Title User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration <= 4.3.1 - Authenticated (Subscriber+) PHP Object Injection
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wedevs User Frontend: Ai Powered Frontend Posting, User Directory, Profile, Membership & User Registration
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-08T08:26:32.725Z

Reserved: 2026-03-30T09:06:07.574Z

Link: CVE-2026-5127

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T09:16:08.803

Modified: 2026-05-08T09:16:08.803

Link: CVE-2026-5127

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T10:30:06Z

Weaknesses