Front-End-Only-Users < 3.2.33 – Unauthenticated Arbitrary File Upload | CVE 2025-2005 | Plugin Vulnerabilities

Description

The Front End Users plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the file uploads field of the registration form in all versions up to, and including, 3.2.32. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

Affects Plugins

front-end-only-users

Fixed in 3.2.33

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/102223a1-07f5-485b-a6af-49cf316d9797

Miscellaneous

Original Researcher

Kishan Vyas

Verified

No

WPVDB ID

042bc565-265f-4ebf-80a8-a7563ff9f611

Timeline

Publicly Published

2025-04-01 (about 1 year ago)

Added

2025-04-01 (about 1 year ago)

Last Updated

2025-12-11 (about 5 months ago)

Other

Published

Title

Published

2024-10-04

Title

Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress < 6.5.8 - Authenticated (Subscriber+) Limited JavaScript File Upload

Published

2014-08-01

Title

accordion - Arbitrary File Upload

Published

2024-07-08

Title

Gutenberg Forms <= 2.2.9 - Unauthenticated Arbitrary File Upload

Published

2026-03-20

Title

Green Downloads < 2.09 - Authenticated (Subscriber+) Arbitrary File Upload

Published

2024-11-11

Title

kineticPay for WooCommerce < 3.0 - Unauthenticated Arbitrary File Upload