WP User Frontend < 4.2.5 – Missing Authorization to Unauthenticated Arbitrary Attachment Deletion | CVE 2025-14047 | Plugin Vulnerabilities

Description

The Registration, User Profile, Membership, Content Restriction, User Directory, and Frontend Post Submission – WP User Frontend plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'Frontend_Form_Ajax::submit_post' function in all versions up to, and including, 4.2.4. This makes it possible for unauthenticated attackers to delete attachment.

Affects Plugins

wp-user-frontend

Fixed in 4.2.5

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/6e95b16f-a25a-45c7-a875-2d34a1e127ce

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

shark3y

Verified

No

WPVDB ID

e667278f-7563-4c58-ba82-a6d50e1a7a30

Timeline

Publicly Published

2026-01-01 (about 5 months ago)

Added

2026-01-01 (about 5 months ago)

Last Updated

2026-01-23 (about 4 months ago)

Other

Published

Title

Published

2026-03-16

Title

TotalPoll for Polls and Contests <= 4.12.0 - Authenticated (Contributor+) Remote Code Execution

Published

2025-01-31

Title

Hide Shipping Method For WooCommerce < 1.5.2 - Missing Authorization

Published

2025-06-19

Title

App Builder < 5.5.8 - Missing Authorization

Published

2025-03-06

Title

Golo - Directory & Listing, Travel WordPress Theme < 1.6.11 - Missing Authorization to Privilege Escalation via Unauthenticated Arbitrary User Password Change

Published

2024-09-10

Title

HTML5 Video Player – mp4 Video Player Plugin and Block < 2.5.35 - Missing Authorization to Authenticated (Subscriber+) Limited Options Update