CVE-2026-1565 - Vulnerability Analysis
HighCVSS: 8.8Last Updated: February 26, 2026
User Frontend - Unrestricted File Upload
Published: February 26, 2026Updated: February 26, 2026Remote Exploitable
Overview
User Frontend WordPress plugin <= 4.2.8 contains an unrestricted file upload vulnerability caused by improper file type validation in 'WPUF_Admin_Settings::check_filetype_and_ext' and 'Admin_Tools::check_filetype_and_ext', letting authenticated attackers with Author-level access upload arbitrary files, potentially enabling remote code execution.
Severity & Score
Severity: High
CVSS Score: 8.8
Impact
Authenticated attackers with Author-level access can upload arbitrary files, potentially leading to remote code execution and full server compromise.
Mitigation
Update to a version later than 4.2.8 or the latest available version.
References
- https://plugins.trac.wordpress.org/browser/wp-user-frontend/trunk/includes/Admin/Admin_Tools.php?rev=3448772#L537
- https://plugins.trac.wordpress.org/changeset/3468395/wp-user-frontend/trunk/includes/Admin/Admin_Tools.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/2c358cbe-7600-43a1-94a3-1530cdb5a9f3?source=cve
- https://plugins.trac.wordpress.org/browser/wp-user-frontend/trunk/admin/class-admin-settings.php?rev=3448772#L571
- https://plugins.trac.wordpress.org/browser/wp-user-frontend/trunk/admin/class-admin-settings.php?rev=3448772#L600
- https://plugins.trac.wordpress.org/browser/wp-user-frontend/trunk/includes/Admin/Admin_Tools.php?rev=3448772#L444
Related Resources
Details
- CVE ID
- CVE-2026-1565
- Severity
- High
- CVSS Score
- 8.8
- Type
- unrestricted_file_upload
- Status
- new
CWE
- CWE-434
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H