CVE-2026-5127 - Vulnerability Analysis
HighCVSS: 8.8Last Updated: May 8, 2026
User Frontend - Insecure Deserialization
Published: May 8, 2026Updated: May 8, 2026Remote Exploitable
Overview
User Frontend WordPress plugin <= 4.3.1 contains an insecure deserialization vulnerability caused by insufficient validation of wpuf_files parameter and unconditional deserialization, letting authenticated attackers with Subscriber-level access execute arbitrary code or delete files.
Severity & Score
Severity: High
CVSS Score: 8.8
Impact
Authenticated attackers can execute arbitrary code or delete files, potentially compromising the entire system.
Mitigation
Update to the latest version beyond 4.3.1.
References
- https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.2.10/includes/Ajax/Frontend_Form_Ajax.php#L35
- https://plugins.trac.wordpress.org/browser/wp-user-frontend/trunk/includes/Ajax/Frontend_Form_Ajax.php#L36
- https://plugins.trac.wordpress.org/browser/wp-user-frontend/trunk/includes/Traits/FieldableTrait.php#L429
- https://plugins.trac.wordpress.org/browser/wp-user-frontend/trunk/includes/Traits/FieldableTrait.php#L679
- https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.2.10/includes/Ajax/Frontend_Form_Ajax.php#L36
- https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.2.10/includes/Traits/FieldableTrait.php#L704
- https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.2.10/wpuf-functions.php#L1103
- https://plugins.trac.wordpress.org/browser/wp-user-frontend/trunk/wpuf-functions.php#L959
- https://plugins.trac.wordpress.org/changeset/3514258/wp-user-frontend/trunk/includes/Traits/FieldableTrait.php
- https://plugins.trac.wordpress.org/browser/wp-user-frontend/trunk/includes/Ajax/Frontend_Form_Ajax.php#L35
- https://plugins.trac.wordpress.org/changeset?old_path=%2Fwp-user-frontend/tags/4.3.1&new_path=%2Fwp-user-frontend/tags/4.3.2
- https://www.wordfence.com/threat-intel/vulnerabilities/id/2b5d27cc-c6eb-4c5c-8ee1-30483b91c6fd?source=cve
- https://plugins.trac.wordpress.org/browser/wp-user-frontend/trunk/includes/Traits/FieldableTrait.php#L704
- https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.2.10/includes/Traits/FieldableTrait.php#L429
- https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.2.10/includes/Traits/FieldableTrait.php#L502
- https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.2.10/includes/Traits/FieldableTrait.php#L679
- https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.2.10/wpuf-functions.php#L959
- https://plugins.trac.wordpress.org/browser/wp-user-frontend/trunk/includes/Traits/FieldableTrait.php#L502
- https://plugins.trac.wordpress.org/browser/wp-user-frontend/trunk/wpuf-functions.php#L1103
Related Resources
Details
- CVE ID
- CVE-2026-5127
- Severity
- High
- CVSS Score
- 8.8
- Type
- insecure_deserialization
- Status
- rejected
CWE
- CWE-502
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H