CVE-2025-13419
Unauthorized Data Modification in WP Front User Submit Plugin
Publication date: 2026-01-07
Last updated on: 2026-01-07
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| unknown_vendor | front_user_submit | to 5.0.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the WP Front User Submit plugin for WordPress, specifically in versions up to and including 5.0.0. It is caused by a missing capability check on the '/wp-json/bfe/v1/revert' REST API endpoint, which allows unauthenticated attackers to delete arbitrary media attachments.
How can this vulnerability impact me? :
An attacker can exploit this vulnerability to delete arbitrary media attachments without authentication, potentially leading to loss of important media content on your WordPress site.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect attempts to exploit this vulnerability by monitoring HTTP requests to the '/wp-json/bfe/v1/revert' REST API endpoint. Look for unauthorized or unauthenticated POST requests attempting to delete media attachments. Using command-line tools like curl or wget, you can simulate or check for such requests. For example, to test if the endpoint is accessible without authentication, you might run: curl -X POST https://yourwordpresssite.com/wp-json/bfe/v1/revert -d '{"attachment_id":123}' -H 'Content-Type: application/json' and observe if the request is allowed or denied. Additionally, monitoring web server logs for POST requests to this endpoint from unknown or unauthenticated sources can help detect exploitation attempts. [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the WP Front User Submit plugin (front-editor) to version 5.0.1 or later, which includes fixes that add proper authorization checks on the '/wp-json/bfe/v1/revert' REST API endpoint. This update ensures that only authorized users or the original uploader can delete attachments, preventing unauthorized deletion. Additionally, ensure your WordPress installation and PHP environment meet the plugin requirements (PHP 7.0+, WordPress 5.0+). If updating immediately is not possible, consider restricting access to the REST API endpoint via firewall rules or other access controls to prevent unauthenticated requests. [2]