Description
Unauthenticated Broken Access Control in WP User Frontend <= 4.3.7 versions.
Published: 2026-06-29
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unauthenticated broken access control flaw found in WordPress WP User Frontend plugin versions up to 4.3.7. It permits an attacker who does not have administrative credentials to access privileged functions, potentially modifying or deleting content, settings, or users. The weakness is a classic example of improper authorization as identified by CWE‑862.

Affected Systems

Vendors affected include weDevs; the plugin known as WP User Frontend. All installations using the plugin version 4.3.7 or earlier are vulnerable. No other versions or products are listed.

Risk and Exploitability

The CVSS score of 6.5 reflects a moderate severity, and the EPSS score is not available, suggesting no publicly known exploits yet. The vulnerability is not listed in CISA’s KEV catalog. Because the flaw is unauthenticated, an attacker only needs to know a valid URL, which can be discovered through normal site exploration or scanning, making exploitation relatively straightforward.

Generated by OpenCVE AI on June 29, 2026 at 17:06 UTC.

Remediation

Vendor Solution

Update the WordPress WP User Frontend Plugin to the latest available version (at least 4.3.8).

OpenCVE Recommended Actions

  • Upgrade the WP User Frontend plugin to version 4.3.8 or newer
  • If upgrade cannot be performed immediately, temporarily disable the plugin to block unauthenticated access
  • Review plugin settings and configuration to enforce authentication for all administrative functions and remove any permissions that grant anonymous users elevated rights
  • Monitor site logs for unauthorized activity related to the plugin and set up alerts for suspicious events

Generated by OpenCVE AI on June 29, 2026 at 17:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 29 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated Broken Access Control in WP User Frontend <= 4.3.7 versions.
Title WordPress WP User Frontend plugin <= 4.3.7 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-29T15:53:10.432Z

Reserved: 2026-06-24T12:45:19.178Z

Link: CVE-2026-57334

cve-icon Vulnrichment

Updated: 2026-06-29T15:52:34.887Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T17:15:04Z

Weaknesses