CVE-2026-2233
Unauthorized Post Modification in User Frontend WordPress Plugin
Publication date: 2026-03-16
Last updated on: 2026-03-16
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wedevs | wp_user_frontend | to 4.2.8 (inc) |
| wp_user_frontend | wp_user_frontend | to 4.2.8 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in the User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress, specifically in the draft_post() function. Due to a missing capability check, unauthenticated attackers can modify arbitrary posts by exploiting the 'post_id' parameter. This means attackers can unpublish published posts or overwrite their contents without proper authorization.
How can this vulnerability impact me? :
This vulnerability allows unauthenticated attackers to modify content on your WordPress site. They can unpublish posts or change post contents arbitrarily, which can lead to misinformation, loss of content integrity, and potential disruption of your website's normal operations.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
I don't know