Insecure Direct Object Reference in User Frontend Plugin for WordPress
CVE-2026-5459
5.3MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 8 July 2026
What is CVE-2026-5459?
The User Frontend plugin for WordPress is vulnerable to an Insecure Direct Object Reference due to missing validation on the 'user_id' parameter in the payment_page() function. This security flaw allows unauthenticated attackers to activate free subscription packs for any user, potentially overwriting their existing paid subscriptions and resulting in the loss of access to paid features. Such vulnerabilities emphasize the importance of stringent access controls and parameter validation to protect user information and subscription integrity.
Affected Version(s)
User Frontend: AI Powered Frontend Posting, User Directory, Profile Builder, Membership & User Registration 0 <= 4.3.1