Authorization Bypass in WordPress Plugin Affecting User Registration and Media Management
CVE-2026-12406
5.3MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 9 July 2026
What is CVE-2026-12406?
The User Frontend plugin for WordPress allows for an authorization bypass, permitting unauthorized users to delete media attachments linked to guest uploads and registration forms. This vulnerability arises from inadequate verification of user permissions, specifically through the wpuf_file_del AJAX action. Attackers can exploit this weakness on any site using the WPUF shortcode on a front-end page, exposing the wpuf_nonce to public JavaScript objects, which leads to compromised media management capabilities.
Affected Version(s)
User Frontend: AI Powered Frontend Posting, User Directory, Profile Builder, Membership & User Registration 0 <= 4.3.7