Insecure Direct Object Reference in User Frontend Plugin for WordPress
CVE-2026-12418
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 9 July 2026
What is CVE-2026-12418?
The User Frontend plugin for WordPress has a vulnerability that allows unauthenticated attackers to manipulate post data through the wpuf_files_data parameter. This flaw arises from insufficient validation on a user-controlled key, enabling the overwriting of post titles, contents, and excerpts of any post, including those created by site administrators. The exploitation occurs via accessible WPUF post submission forms, which are reachable by users without any assigned WordPress roles, as the wpuf_submit_post AJAX action only requires a nonce, lacking any further capability checks for the related post editing operations.
Affected Version(s)
User Frontend: AI Powered Frontend Posting, User Directory, Profile Builder, Membership & User Registration 0 <= 4.3.7