WordPress Plugin Vulnerabilities

User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration < 4.2.9 - Missing Authorization to Unauthenticated Arbitrary Post Modification via 'post_id' Parameter

Description

The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the draft_post() function in all versions up to, and including, 4.2.8. This makes it possible for unauthenticated attackers to modify arbitrary posts (e.g. unpublish published posts and overwrite the contents) via the 'post_id' parameter.

Affects Plugins

Plugin icon
wp-user-frontend
Fixed in 4.2.9

References

CVE
CVE-2026-2233
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/e0a278a3-f229-4673-8b3e-5b68f383dcc7

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Supakiad S. (m3ez)
Verified
No
WPVDB ID
9d8afca7-f227-4023-aa5a-06875ca23c85

Timeline

Publicly Published
2026-03-14 (about 2 months ago)
Added
2026-03-14 (about 2 months ago)
Last Updated
2026-03-15 (about 2 months ago)

Other

Published
Title
Published
2025-10-31
Title
Bard <= 2.229 - Missing Authorization
Published
2026-05-27
Title
SMTP2GO for WordPress < 1.17.0 - Missing Authorization to Authenticated (Subscriber+) Log Read/Truncate
Published
2024-03-06
Title
Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) < 2.8.8 - Missing Authorization
Published
2024-04-29
Title
ReviewX < 1.6.22 - Missing Authorization
Published
2024-06-28
Title
Newspack Blocks < 3.0.9 - Missing Authorization