User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration < 4.2.6 – Missing Authorization | CVE 2026-24364 | Plugin Vulnerabilities

Description

The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 4.2.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.

Affects Plugins

wp-user-frontend

Fixed in 4.2.6

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/09e5391d-2671-4bb4-9adc-29b5fdb59240

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

daroo

Verified

No

WPVDB ID

44b290be-0e1b-4f47-b2c6-8b5b7a7936f6

Timeline

Publicly Published

2026-03-10 (about 2 months ago)

Added

2026-03-19 (about 2 months ago)

Last Updated

2026-03-19 (about 2 months ago)

Other

Published

Title

Published

2025-12-12

Title

Directory Pro <= 2.5.6 - Missing Authorization

Published

2023-10-19

Title

Just Custom Fields <= 3.3.2 - Missing Authorization on AJAX Actions

Published

2023-11-16

Title

Restaurant & Cafe Addon for Elementor < 1.5.4 - Missing Authorization via multiple AJAX functions

Published

2023-11-30

Title

Quotes for WooCommerce < 2.0.2 - Missing Authorization

Published

2025-09-26

Title

EmailKit < 1.6.1 - Missing Authorization to Authenticated (Author+) Arbitrary Content Deletion