CVE-2026-12406 PUBLISHED

User Frontend <= 4.3.7 - Missing Authorization to Unauthenticated Arbitrary Attachment Deletion via 'attach_id' Parameter

Assigner: Wordfence
Reserved: 16.06.2026 Published: 09.07.2026 Updated: 09.07.2026

The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.3.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to delete arbitrary media attachments whose post_author is 0, such as guest and registration-form uploads, via the wpuf_file_del AJAX action. This is exploitable by unauthenticated visitors on any site where a WPUF shortcode is rendered on a front-end page, as this causes the valid wpuf_nonce value to be localized into publicly accessible JavaScript objects (wpuf_upload and wpuf_frontend), satisfying the sole access control gate.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CVSS Score: 5.3

Product Status

Vendor wedevs
Product User Frontend: AI Powered Frontend Posting, User Directory, Profile Builder, Membership & User Registration
Versions Default: unaffected
  • affected from 0 to 4.3.7 (incl.)

Credits

  • mrvincere finder

References

Problem Types

  • CWE-862 Missing Authorization CWE