CVE-2026-12418
Received Received - Intake

Insecure Direct Object Reference in User Frontend WordPress Plugin

Vulnerability report for CVE-2026-12418, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: Wordfence

Description

The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.7 via the 'wpuf_files_data' parameter due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to overwrite the post_title, post_content, and post_excerpt of any arbitrary post on the site, including posts authored by administrators. Exploitation requires access to any WPUF post submission form; this is achievable by users with no WordPress role, as the wpuf_submit_post AJAX action is gated only by a nonce with no capability check for the downstream post-edit operation.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wpuserfrontend wpuf to 4.3.7 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects the User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress, specifically all versions up to and including 4.3.7.

It is an Insecure Direct Object Reference (IDOR) vulnerability caused by missing validation on a user-controlled key in the 'wpuf_files_data' parameter.

Because of this, unauthenticated attackers can overwrite the post_title, post_content, and post_excerpt of any arbitrary post on the site, including posts authored by administrators.

Exploitation requires access to any WPUF post submission form, which is possible even for users with no WordPress role, since the wpuf_submit_post AJAX action is only protected by a nonce and lacks capability checks for the post-edit operation.

Impact Analysis

This vulnerability allows unauthenticated attackers to modify the content of any post on the affected WordPress site, including those created by administrators.

Such unauthorized modifications can lead to misinformation, defacement, or injection of malicious content, potentially damaging the site's reputation and trustworthiness.

Since the attacker does not need any user privileges, the risk of exploitation is higher, and it can be used as a vector for further attacks or social engineering.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12418. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart