User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership...

8.8 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to Deserialization of Untrusted Data in versions up to, and including, 4.3.1 This is due to insufficient input validation and type checking on the wpuf_files parameter during form submission, combined with unconditional deserialization via maybe_unserialize() when displaying post content. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary PHP objects, which can be leveraged to execute arbitrary code, delete arbitrary files, or perform other malicious actions if a POP chain is present on the target system.

AI Analysis

Deserialization of Untrusted Data vulnerability in User Frontend plugin for WordPress, allowing authenticated attackers to inject arbitrary PHP objects and execute arbitrary code, delete files, or perform other malicious actions.

Basic Information

ID CVE-2026-5127

Source Wordfence

Published May 8, 2026 at 08:26

Affected Product

Vendor wedevs

Product User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration

Affected Versions wedevs User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration 0

CWE Classification

CWE-502

AI Assessment

AI Score 8.8 / 10

AI Severity High

Vendor WeDevs

Product User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration

Version up to 4.3.1

References

{
    "lastseen": "",
    "description": "The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to Deserialization of Untrusted Data in versions up to, and including, 4.3.1 This is due to insufficient input validation and type checking on the wpuf_files parameter during form submission, combined with unconditional deserialization via maybe_unserialize() when displaying post content. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary PHP objects, which can be leveraged to execute arbitrary code, delete arbitrary files, or perform other malicious actions if a POP chain is present on the target system.",
    "published": "2026-05-08T08:26:32.725Z",
    "modified": "2026-05-08T08:26:32.725Z",
    "type": "cve",
    "title": "User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration <= 4.3.1 - Authenticated (Subscriber+) PHP Object Injection",
    "source": "Wordfence",
    "references": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2b5d27cc-c6eb-4c5c-8ee1-30483b91c6fd?source=cve\nhttps://plugins.trac.wordpress.org/browser/wp-user-frontend/trunk/wpuf-functions.php#L959\nhttps://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.2.10/wpuf-functions.php#L959\nhttps://plugins.trac.wordpress.org/browser/wp-user-frontend/trunk/wpuf-functions.php#L1103\nhttps://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.2.10/wpuf-functions.php#L1103\nhttps://plugins.trac.wordpress.org/browser/wp-user-frontend/trunk/includes/Traits/FieldableTrait.php#L679\nhttps://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.2.10/includes/Traits/FieldableTrait.php#L679\nhttps://plugins.trac.wordpress.org/browser/wp-user-frontend/trunk/includes/Traits/FieldableTrait.php#L704\nhttps://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.2.10/includes/Traits/FieldableTrait.php#L704\nhttps://plugins.trac.wordpress.org/browser/wp-user-frontend/trunk/includes/Traits/FieldableTrait.php#L429\nhttps://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.2.10/includes/Traits/FieldableTrait.php#L429\nhttps://plugins.trac.wordpress.org/browser/wp-user-frontend/trunk/includes/Traits/FieldableTrait.php#L502\nhttps://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.2.10/includes/Traits/FieldableTrait.php#L502\nhttps://plugins.trac.wordpress.org/browser/wp-user-frontend/trunk/includes/Ajax/Frontend_Form_Ajax.php#L35\nhttps://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.2.10/includes/Ajax/Frontend_Form_Ajax.php#L35\nhttps://plugins.trac.wordpress.org/browser/wp-user-frontend/trunk/includes/Ajax/Frontend_Form_Ajax.php#L36\nhttps://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.2.10/includes/Ajax/Frontend_Form_Ajax.php#L36\nhttps://plugins.trac.wordpress.org/changeset/3514258/wp-user-frontend/trunk/includes/Traits/FieldableTrait.php\nhttps://plugins.trac.wordpress.org/changeset?old_path=%2Fwp-user-frontend/tags/4.3.1&new_path=%2Fwp-user-frontend/tags/4.3.2",
    "id": "CVE-2026-5127",
    "bulletinFamily": "",
    "cwe": [
        "CWE-502"
    ],
    "cvelist": null,
    "sourceData": "wedevs User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration 0",
    "sourceHref": "",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration",
    "version": "0",
    "vendor": "wedevs",
    "ai_description": "Deserialization of Untrusted Data vulnerability in User Frontend plugin for WordPress, allowing authenticated attackers to inject arbitrary PHP objects and execute arbitrary code, delete files, or perform other malicious actions.",
    "ai_severity": "High",
    "ai_vendor": "WeDevs",
    "ai_product": "User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration",
    "ai_version": "up to 4.3.1",
    "ai_score": 8.8
}

User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration <= 4.3.1 - Authenticated (Subscriber+) PHP Object Injection_CVE-2026-5127