{"id":52366,"date":"2026-05-08T05:40:32","date_gmt":"2026-05-08T05:40:32","guid":{"rendered":"https:\/\/zero.redgem.net\/?p=52366"},"modified":"2026-05-08T05:40:32","modified_gmt":"2026-05-08T05:40:32","slug":"user-frontend-ai-powered-frontend-posting-user-directory-profile-membership-user-registration-431-au","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=52366","title":{"rendered":"User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration <= 4.3.1 - Authenticated (Subscriber+) PHP Object Injection_CVE-2026-5127"},"content":{"rendered":"

{“lastseen”:””,”description”:”The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership \\u0026 User Registration plugin for WordPress is vulnerable to Deserialization of Untrusted Data in versions up to, and including, 4.3.1 This is due to insufficient input validation and type checking on the wpuf_files parameter during form submission, combined with unconditional deserialization via maybe_unserialize() when displaying post content. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary PHP objects, which can be leveraged to execute arbitrary code, delete arbitrary files, or perform other malicious actions if a POP chain is present on the target system.”,”published”:”2026-05-08T08:26:32.725Z”,”modified”:”2026-05-08T08:26:32.725Z”,”type”:”cve”,”title”:”User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership \\u0026 User Registration \\u003c= 4.3.1 – Authenticated (Subscriber+) PHP Object Injection”,”source”:”Wordfence”,”references”:”https:\/\/www.wordfence.com\/threat-intel\/vulnerabilities\/id\/2b5d27cc-c6eb-4c5c-8ee1-30483b91c6fd?source=cve\\nhttps:\/\/plugins.trac.wordpress.org\/browser\/wp-user-frontend\/trunk\/wpuf-functions.php#L959\\nhttps:\/\/plugins.trac.wordpress.org\/browser\/wp-user-frontend\/tags\/4.2.10\/wpuf-functions.php#L959\\nhttps:\/\/plugins.trac.wordpress.org\/browser\/wp-user-frontend\/trunk\/wpuf-functions.php#L1103\\nhttps:\/\/plugins.trac.wordpress.org\/browser\/wp-user-frontend\/tags\/4.2.10\/wpuf-functions.php#L1103\\nhttps:\/\/plugins.trac.wordpress.org\/browser\/wp-user-frontend\/trunk\/includes\/Traits\/FieldableTrait.php#L679\\nhttps:\/\/plugins.trac.wordpress.org\/browser\/wp-user-frontend\/tags\/4.2.10\/includes\/Traits\/FieldableTrait.php#L679\\nhttps:\/\/plugins.trac.wordpress.org\/browser\/wp-user-frontend\/trunk\/includes\/Traits\/FieldableTrait.php#L704\\nhttps:\/\/plugins.trac.wordpress.org\/browser\/wp-user-frontend\/tags\/4.2.10\/includes\/Traits\/FieldableTrait.php#L704\\nhttps:\/\/plugins.trac.wordpress.org\/browser\/wp-user-frontend\/trunk\/includes\/Traits\/FieldableTrait.php#L429\\nhttps:\/\/plugins.trac.wordpress.org\/browser\/wp-user-frontend\/tags\/4.2.10\/includes\/Traits\/FieldableTrait.php#L429\\nhttps:\/\/plugins.trac.wordpress.org\/browser\/wp-user-frontend\/trunk\/includes\/Traits\/FieldableTrait.php#L502\\nhttps:\/\/plugins.trac.wordpress.org\/browser\/wp-user-frontend\/tags\/4.2.10\/includes\/Traits\/FieldableTrait.php#L502\\nhttps:\/\/plugins.trac.wordpress.org\/browser\/wp-user-frontend\/trunk\/includes\/Ajax\/Frontend_Form_Ajax.php#L35\\nhttps:\/\/plugins.trac.wordpress.org\/browser\/wp-user-frontend\/tags\/4.2.10\/includes\/Ajax\/Frontend_Form_Ajax.php#L35\\nhttps:\/\/plugins.trac.wordpress.org\/browser\/wp-user-frontend\/trunk\/includes\/Ajax\/Frontend_Form_Ajax.php#L36\\nhttps:\/\/plugins.trac.wordpress.org\/browser\/wp-user-frontend\/tags\/4.2.10\/includes\/Ajax\/Frontend_Form_Ajax.php#L36\\nhttps:\/\/plugins.trac.wordpress.org\/changeset\/3514258\/wp-user-frontend\/trunk\/includes\/Traits\/FieldableTrait.php\\nhttps:\/\/plugins.trac.wordpress.org\/changeset?old_path=%2Fwp-user-frontend\/tags\/4.3.1\\u0026new_path=%2Fwp-user-frontend\/tags\/4.3.2″,”id”:”CVE-2026-5127″,”bulletinFamily”:””,”cwe”:[“CWE-502″],”cvelist”:null,”sourceData”:”wedevs User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership \\u0026 User Registration 0″,”sourceHref”:””,”cvss”:{“score”:8.8,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:””,”category_name”:”CVE”,”post_link”:””,”product”:”User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership \\u0026 User Registration”,”version”:”0″,”vendor”:”wedevs”,”ai_description”:”Deserialization of Untrusted Data vulnerability in User Frontend plugin for WordPress, allowing authenticated attackers to inject arbitrary PHP objects and execute arbitrary code, delete files, or perform other malicious actions.”,”ai_severity”:”High”,”ai_vendor”:”WeDevs”,”ai_product”:”User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership \\u0026 User Registration”,”ai_version”:”up to 4.3.1″,”ai_score”:8.8}<\/p>\n","protected":false},"excerpt":{"rendered":"

{“lastseen”:””,”description”:”The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership \\u0026 User Registration plugin for WordPress is vulnerable to Deserialization of Untrusted Data in…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[6,8,41,12,15,13,7,11,5],"class_list":["post-52366","post","type-post","status-publish","format-standard","hentry","category-category_cve","tag-cve","tag-cvss","tag-cvss-88","tag-exploit","tag-high","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\nUser Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=52366\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration\" \/>\n<meta property=\"og:description\" content=\"{“lastseen”:””,”description”:”The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership u0026 User Registration plugin for WordPress is vulnerable to Deserialization of Untrusted Data in...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=52366\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2026-05-08T05:40:32+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=52366#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=52366\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration\",\"datePublished\":\"2026-05-08T05:40:32+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=52366\"},\"wordCount\":12,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"CVSS-8.8\",\"exploit\",\"HIGH\",\"news\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_cve\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=52366#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=52366\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=52366\",\"name\":\"User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2026-05-08T05:40:32+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=52366#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=52366\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=52366#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=52366","og_locale":"en_US","og_type":"article","og_title":"User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration","og_description":"{“lastseen”:””,”description”:”The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership u0026 User Registration plugin for WordPress is vulnerable to Deserialization of Untrusted Data in...","og_url":"https:\/\/zero.redgem.net\/?p=52366","og_site_name":"zero redgem","article_published_time":"2026-05-08T05:40:32+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=52366#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=52366"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration","datePublished":"2026-05-08T05:40:32+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=52366"},"wordCount":12,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","CVSS-8.8","exploit","HIGH","news","Security","tapic","Vulnerability"],"articleSection":["category_cve"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=52366#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=52366","url":"https:\/\/zero.redgem.net\/?p=52366","name":"User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2026-05-08T05:40:32+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=52366#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=52366"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=52366#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/52366","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=52366"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/52366\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=52366"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=52366"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=52366"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}