User Frontend < 4.3.2 – Subscriber+ PHP Object Injection | CVE 2026-5127 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Deserialization of Untrusted Data due to insufficient input validation and type checking on the wpuf_files parameter during form submission, combined with unconditional deserialization via maybe_unserialize() when displaying post content. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary PHP objects, which can be leveraged to execute arbitrary code, delete arbitrary files, or perform other malicious actions if a POP chain is present on the target system.

Affects Plugins

wp-user-frontend

Fixed in 4.3.2

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/2b5d27cc-c6eb-4c5c-8ee1-30483b91c6fd

Classification

Type

OBJECT INJECTION

OWASP top 10

A8: Insecure Deserialization

CWE

CVSS

Miscellaneous

Original Researcher

d.v4n_s3c

Verified

No

WPVDB ID

4fdaff0c-4467-4be9-825a-2c246819a0f8

Timeline

Publicly Published

2026-05-07 (about 1 month ago)

Added

2026-05-07 (about 1 month ago)

Last Updated

2026-05-08 (about 1 month ago)

Other

Published

Title

Published

2024-04-09

Title

Carousel, Slider, Gallery by WP Carousel – Image Carousel & Photo Gallery, Post Carousel & Post Grid, Product Carousel & Product Grid for WooCommerce < 2.6.4 - Authenticated (Admin+) PHP Object Injection

Published

2025-03-13

Title

CiyaShop - Multipurpose WooCommerce Theme < 4.19.1 - Unauthenticated PHP Object Injection

Published

2026-04-08

Title

Hiroshi < 1.6 - Unauthenticated PHP Object Injection

Published

2026-03-10

Title

Photo Contest | Competition | Video Contest <= 2.9.1 - Authenticated (Author+) PHP Object Injection

Published

2025-04-22

Title

uListing <= 2.2.0 - Authenticated (Administrator+) PHP Object Injection