CVE-2026-5127
Deserialization Flaw in User Frontend WordPress Plugin
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wp_user_frontend | wp_user_frontend | to 4.3.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress, affecting versions up to and including 4.3.1.
It is caused by insufficient input validation and type checking on the wpuf_files parameter during form submission, combined with unconditional deserialization via the maybe_unserialize() function when displaying post content.
This allows authenticated attackers with Subscriber-level access or higher to inject arbitrary PHP objects. If a suitable POP (Property Oriented Programming) chain exists on the target system, this can be exploited to execute arbitrary code, delete files, or perform other malicious actions.
How can this vulnerability impact me? :
The vulnerability can have severe impacts including unauthorized execution of arbitrary code on the affected system.
Attackers can delete arbitrary files or perform other malicious actions, potentially compromising the integrity, confidentiality, and availability of the system.
Since the exploit requires only Subscriber-level access, it lowers the barrier for attackers who have limited privileges to escalate their impact.