WP-Safety
CVE-2026-24364

User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration <= 4.2.5 - Missing Authorization

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
4.2.6
Patched in
10d
Time to patch

Description

The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 4.2.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=4.2.5
PublishedMarch 10, 2026
Last updatedMarch 19, 2026
Affected pluginwp-user-frontend

What Changed in the Fix

Changes introduced in v4.2.6

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v4.2.5
Browse source Download .zip
Patched v4.2.6
Browse source Download .zip
Research Plan
Unverified

# Research Plan: CVE-2026-24364 - Missing Authorization in WP User Frontend ## 1. Vulnerability Summary The **WP User Frontend** plugin (up to 4.2.5) suffers from a missing authorization vulnerability. While the plugin implements nonce checks for certain administrative AJAX actions, it fails to per…

Show full research plan

Research Plan: CVE-2026-24364 - Missing Authorization in WP User Frontend

1. Vulnerability Summary

The WP User Frontend plugin (up to 4.2.5) suffers from a missing authorization vulnerability. While the plugin implements nonce checks for certain administrative AJAX actions, it fails to perform secondary capability checks (e.g., current_user_can('manage_options')). This allows authenticated users with Subscriber-level access to execute these actions if they can obtain or bypass the nonce.

The primary target identified in the source is the wpuf_dismiss_paypal_notice AJAX action, handled by the Paypal::dismiss_paypal_notice() function. This action modifies site options (specifically dismissing an admin-only notice), representing an unauthorized integrity change.

2. Attack Vector Analysis

  • Endpoint: wp-admin/admin-ajax.php
  • Action: wpuf_dismiss_paypal_notice
  • HTTP Method: POST
  • Parameters:
    • action: wpuf_dismiss_paypal_notice
    • nonce: A valid nonce for the wpuf_dismiss_paypal_notice action.
  • Authentication: Required (Subscriber level or above).
  • Precondition: The attacker must be logged in as a Subscriber.

3. Code Flow

  1. Entry Point: A Subscriber sends a POST request to admin-ajax.php with `action=wpuf_dismiss_
Research Findings
Static analysis — not yet PoC-verified

Summary

The WP User Frontend plugin is vulnerable to unauthorized modification of site settings due to a missing capability check in its PayPal admin notice dismissal logic. Authenticated attackers with Subscriber-level permissions can dismiss important administrative notifications by exploiting the `wpuf_dismiss_paypal_notice` AJAX action.

Vulnerable Code

// Lib/Gateway/Paypal.php

add_action( 'wp_ajax_wpuf_dismiss_paypal_notice', [ $this, 'dismiss_paypal_notice' ] );

---

// Lib/Gateway/Paypal.php (dismiss_paypal_notice function logic)

public function dismiss_paypal_notice() {
    // Verify nonce
    if ( ! isset( $_POST['nonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['nonce'] ) ), 'wpuf_dismiss_paypal_notice' ) ) {
        wp_send_json_error( esc_html__( 'Invalid nonce', 'wp-user-frontend' ) );
    }

    // Missing capability check here (e.g., current_user_can( 'manage_options' ))

    update_option( 'wpuf_paypal_settings_notice_dismissed', true );
    wp_send_json_success();
}

Security Fix

--- Lib/Gateway/Paypal.php
+++ Lib/Gateway/Paypal.php
@@ -172,6 +172,10 @@
         if ( ! isset( $_POST['nonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['nonce'] ) ), 'wpuf_dismiss_paypal_notice' ) ) {
             wp_send_json_error( esc_html__( 'Invalid nonce', 'wp-user-frontend' ) );
         }
+
+        if ( ! current_user_can( 'manage_options' ) ) {
+            wp_send_json_error( esc_html__( 'Unauthorized', 'wp-user-frontend' ) );
+        }
 
         update_option( 'wpuf_paypal_settings_notice_dismissed', true );
         wp_send_json_success();

Exploit Outline

The exploit target is the PayPal configuration notice dismissal mechanism. An authenticated attacker needs to: 1. Log into the WordPress site with Subscriber-level access or higher. 2. Obtain a valid WordPress nonce for the action 'wpuf_dismiss_paypal_notice'. While the plugin attempts to restrict the notice visibility to admins, WordPress nonces are often accessible to all logged-in users if rendered in common scripts or leaked via other vulnerabilities. 3. Send an authenticated POST request to /wp-admin/admin-ajax.php with the following parameters: action=wpuf_dismiss_paypal_notice and nonce=[VALID_NONCE]. 4. Because the server fails to check for administrative capabilities, it will update the 'wpuf_paypal_settings_notice_dismissed' option in the database, affecting site-wide administrative UI state.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/09e5391d-2671-4bb4-9adc-29b5fdb59240?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database