CVE-2026-2233

The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the draft_post() function in all versions up to, and including, 4.2.8. This makes it possible for unauthenticated attackers to modify arbitrary posts (e.g. unpublish published posts and overwrite the contents) via the 'post_id' parameter.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://plugins.trac.wordpress.org/changeset/3468395/wp-user-frontend
https://www.wordfence.com/threat-intel/vulnerabilities/id/e0a278a3-f229-4673-8b3e-5b68f383dcc7?source=cve

Configurations

No configuration.

History

22 Apr 2026, 21:30

Type	Values Removed	Values Added
Summary		(es) El plugin User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration para WordPress es vulnerable a la modificación no autorizada de datos debido a una comprobación de capacidad faltante en la función draft_post() en todas las versiones hasta la 4.2.8, inclusive. Esto hace posible que atacantes no autenticados modifiquen publicaciones arbitrarias (por ejemplo, despublicar publicaciones ya publicadas y sobrescribir el contenido) a través del parámetro 'post_id'.

16 Mar 2026, 14:19

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-16 14:19

Updated : 2026-04-22 21:30

NVD link : CVE-2026-2233

Mitre link : CVE-2026-2233

CVE.ORG link : CVE-2026-2233

JSON object : View

Products Affected

No product.

CWE

CWE-862

Missing Authorization

5.3 /10