WordPress Plugin Vulnerabilities

User Frontend < 4.2.9 - Author+ Arbitrary File Upload

Description

The plugin is vulnerable to arbitrary file uploads due to incorrect file type validation in the 'WPUF_Admin_Settings::check_filetype_and_ext' function and in the 'Admin_Tools::check_filetype_and_ext' function. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

Affects Plugins

Plugin icon
wp-user-frontend
Fixed in 4.2.9

References

CVE
CVE-2026-1565
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/2c358cbe-7600-43a1-94a3-1530cdb5a9f3

Miscellaneous

Original Researcher
Williwollo (CybrX)
Verified
No
WPVDB ID
d5757bfc-d28c-40bf-af5c-941121eab416

Timeline

Publicly Published
2026-02-26 (about 1 month ago)
Added
2026-02-26 (about 1 month ago)
Last Updated
2026-02-26 (about 1 month ago)

Other

Published
Title
Published
2014-08-01
Title
Category Grid View Gallery 0.1.1 - Shell Upload
Published
2023-09-26
Title
Welcart e-Commerce < 2.8.22 - Editor+ Arbitrary File Upload
Published
2025-12-09
Title
Video Merchant <= 5.0.4 - Cross-Site Request Forgery to Arbitrary File Upload
Published
2014-08-01
Title
Image News Slider - Arbitrary File Upload
Published
2025-07-03
Title
Download Plugin < 2.2.9 - Authenticated (Administrator+) Arbitrary File Upload