CVE-2026-1644
CSRF Vulnerability in WP Frontend Profile Plugin Allows Account Manipulation
Publication date: 2026-03-07
Last updated on: 2026-03-07
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordfence | wp_front_end_profile | to 1.3.8 (inc) |
| wordfence | wp_front_end_profile | 1.3.9 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "The vulnerability in the WP Frontend Profile plugin for WordPress (up to version 1.3.8) is a Cross-Site Request Forgery (CSRF) issue in the 'update_action' function. This function lacked nonce validation, which is a security measure to verify that requests are legitimate and intended by an authenticated user."}, {'type': 'paragraph', 'content': 'Because of this missing nonce check, an unauthenticated attacker can craft a malicious request that tricks an administrator into clicking a link or performing an action. This forged request can then approve or reject user account registrations without proper authorization.'}, {'type': 'paragraph', 'content': 'The vulnerability was fixed in version 1.3.9 by adding nonce verification, capability checks to ensure only authorized users can approve or reject users, and strict validation of input parameters.'}] [3]
How can this vulnerability impact me? :
This vulnerability allows an attacker to manipulate user account registrations by approving or rejecting them without proper authorization. If exploited, it could lead to unauthorized user accounts being approved or legitimate registrations being rejected.
Such unauthorized actions can undermine the integrity of user management on your WordPress site, potentially allowing malicious users to gain access or legitimate users to be denied access.
The attack requires tricking an administrator into performing an action, such as clicking a malicious link, which then executes the forged request.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by monitoring for unauthorized or forged HTTP requests targeting the 'update_action' function of the WP Frontend Profile plugin, specifically requests that attempt to approve or reject user registrations without proper nonce validation."}, {'type': 'paragraph', 'content': "You can look for suspicious GET requests containing parameters like 'action=approve' or 'action=rejected' along with a 'user' parameter, especially if these requests lack a valid nonce or originate from unexpected sources."}, {'type': 'paragraph', 'content': 'Example commands to detect such attempts include:'}, {'type': 'list_item', 'content': "Using web server logs (e.g., Apache or Nginx) to search for suspicious requests: `grep -i 'action=approve' /var/log/apache2/access.log` or `grep -i 'action=rejected' /var/log/apache2/access.log`"}, {'type': 'list_item', 'content': 'Using network monitoring tools like tcpdump or Wireshark to filter HTTP GET requests with these parameters.'}, {'type': 'list_item', 'content': 'Using WordPress audit or security plugins to log and alert on user approval or rejection actions without proper nonce verification.'}] [3]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The immediate mitigation step is to update the WP Frontend Profile plugin to version 1.3.9 or later, where the vulnerability has been fixed.'}, {'type': 'paragraph', 'content': "The fix includes adding nonce verification to the 'update_action' function, validating required parameters, and enforcing capability checks to ensure only authorized users can approve or reject user registrations."}, {'type': 'paragraph', 'content': 'If updating immediately is not possible, consider temporarily disabling the user approval/rejection functionality or restricting access to the affected endpoints to trusted administrators only.'}, {'type': 'paragraph', 'content': 'Additionally, monitor your logs for suspicious activity as described above and inform administrators to be cautious about clicking on unknown or suspicious links that could trigger forged requests.'}] [3]