{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24364", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-22T14:42:32.872Z", "datePublished": "2026-03-25T16:14:31.531Z", "dateUpdated": "2026-03-25T16:14:31.531Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "wp-user-frontend", "product": "WP User Frontend", "vendor": "weDevs", "versions": [{"changes": [{"at": "4.2.6", "status": "unaffected"}], "lessThanOrEqual": "<= 4.2.5", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "daroo | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:12.637Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in weDevs WP User Frontend wp-user-frontend allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects WP User Frontend: from n/a through <= 4.2.5.</p>"}], "value": "Missing Authorization vulnerability in weDevs WP User Frontend wp-user-frontend allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP User Frontend: from n/a through <= 4.2.5."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:31.531Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/wp-user-frontend/vulnerability/wordpress-wp-user-frontend-plugin-4-2-5-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress WP User Frontend plugin <= 4.2.5 - Broken Access Control vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in weDevs WP User Frontend wp-user-frontend allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP User Frontend: from n/a through <= 4.2.5."}], "id": "CVE-2026-24364", "lastModified": "2026-03-25T17:16:37.243", "metrics": {}, "published": "2026-03-25T17:16:37.243", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/wp-user-frontend/vulnerability/wordpress-wp-user-frontend-plugin-4-2-5-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T19:52:36.244535+00:00", "value": {"mitigation_remediation": ["Update the WP User Frontend plugin to any version newer than 4.2.5.", "Verify that access controls are enforced after the update by testing restricted areas with non\u2011admin accounts.", "If an update cannot be performed immediately, restrict the plugin\u2019s public pages to privileged roles using a role\u2011based access control plugin or adjust the plugin\u2019s settings."], "summary": {"action": "Patch Immediately", "impact": "Unauthorized privilege escalation"}, "threat_synthesis": {"affected_systems": "WordPress installations running any version of the WP User Frontend plugin up through 4.2.5 are affected. This includes sites that have never updated past this version, regardless of the underlying WordPress core build.", "description_and_impact": "Missing authorization in the weDevs WP User Frontend plugin allows an attacker to bypass configured access controls, enabling unauthorized actions such as viewing or modifying content that should be restricted. The flaw can lead to elevated privileges, exposing sensitive data or altering site contents, compromising integrity and confidentiality.", "risk_and_exploitability": "The CVSS score is not published and EPSS data is unavailable, which suggests limited public exploitation. The likely attack vector is remote, using crafted HTTP requests to the plugin\u2019s endpoints to exploit the missing authorization checks, giving an authenticated or even unauthenticated user the ability to elevate privileges or alter content. The vulnerability is not listed in the CISA KEV catalog."}}}}, "created": "2026-03-25T21:34:50.766690+00:00", "updated": "2026-03-25T21:34:50.766759+00:00", "vendors": []}