CVE-2026-2233
Awaiting Analysis
Awaiting Analysis - Queue
Unauthorized Post Modification in User Frontend WordPress Plugin
Publication date: 2026-03-16
Last updated on: 2026-03-16
Assigner: Wordfence
Description
Description
The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the draft_post() function in all versions up to, and including, 4.2.8. This makes it possible for unauthenticated attackers to modify arbitrary posts (e.g. unpublish published posts and overwrite the contents) via the 'post_id' parameter.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wedevs | wp_user_frontend | to 4.2.8 (inc) |
| wp_user_frontend | wp_user_frontend | to 4.2.8 (inc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
