WP-Safety
CVE-2026-32485

User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration <= 4.2.8 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
4.2.9
Patched in
11d
Time to patch

Description

The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 4.2.8. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=4.2.8
PublishedMarch 23, 2026
Last updatedApril 2, 2026
Affected pluginwp-user-frontend

What Changed in the Fix

Changes introduced in v4.2.9

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v4.2.8
Browse source Download .zip
Patched v4.2.9
Browse source Download .zip
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-32485 (WP User Frontend) ## 1. Vulnerability Summary The **WP User Frontend** plugin (versions <= 4.2.8) is vulnerable to **Missing Authorization**. The vulnerability exists in the `dismiss_paypal_notice` method within the `WeDevs\Wpuf\Lib\Gateway\Paypal` clas…

Show full research plan

Exploitation Research Plan: CVE-2026-32485 (WP User Frontend)

1. Vulnerability Summary

The WP User Frontend plugin (versions <= 4.2.8) is vulnerable to Missing Authorization. The vulnerability exists in the dismiss_paypal_notice method within the WeDevs\Wpuf\Lib\Gateway\Paypal class. While the function implements a nonce check, it fails to perform a capability check (e.g., current_user_can('manage_options')). This allows any user (or unauthenticated attackers, if the hook is exposed to nopriv) to perform the unauthorized action of dismissing administrative notices by updating the wpuf_paypal_settings_notice_dismissed option in the database.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • AJAX Action: wpuf_dismiss_paypal_notice
  • HTTP Method: POST
  • Parameters:
    • action: wpuf_dismiss_paypal_notice
    • nonce: A valid WordPress nonce for the action wpuf_dismiss_paypal_notice.
  • Authentication: The CVSS vector indicates PR:N (Unauthenticated). This implies that either the wp_ajax_nopriv_wpuf_dismiss_paypal_notice hook is registered in the full plugin code or the nonce is obtainable and the handler is accessible.
  • **V
References
https://www.wordfence.com/threat-intel/vulnerabilities/id/a4cf3ab0-7215-43f2-8ad7-c587d3376c26?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database