Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.8
WordPress Plugin Allows Malicious Files to be Uploaded
CVE-2026-1565
Summary
The User Frontend plugin for WordPress allows attackers with Author-level access to upload any file on the site, potentially leading to code execution and site compromise. This affects all versions of the plugin up to 4.2.8. Update to the latest version to fix this vulnerability.
Original title
The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type valid...
Original description
The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the 'WPUF_Admin_Settings::check_filetype_and_ext' function and in the 'Admin_Tools::check_filetype_and_ext' function in all versions up to, and including, 4.2.8. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
nvd CVSS3.1
8.8
Vulnerability type
CWE-434
Unrestricted File Upload
- https://plugins.trac.wordpress.org/browser/wp-user-frontend/trunk/admin/class-ad...
- https://plugins.trac.wordpress.org/browser/wp-user-frontend/trunk/admin/class-ad...
- https://plugins.trac.wordpress.org/browser/wp-user-frontend/trunk/includes/Admin...
- https://plugins.trac.wordpress.org/browser/wp-user-frontend/trunk/includes/Admin...
- https://plugins.trac.wordpress.org/changeset/3468395/wp-user-frontend/trunk/incl...
- https://www.wordfence.com/threat-intel/vulnerabilities/id/2c358cbe-7600-43a1-94a...
Published: 26 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026