CVE-2026-4058
MediumCVSS 4.3Exploitation Probability (EPSS)
Low risk8th percentile - higher than 8% of all known CVEs
Summary
The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the user_subscription_cancel() function. This allows authenticated attackers with Subscriber-level access and above to cancel any user's subscription pack, including administrators.
Risk Assessment
The organization may be at risk of losing control over user subscriptions, potentially leading to unauthorized access to resources and disruption of services.
Recommendation
It is recommended to update the plugin to the latest version to mitigate this vulnerability and implement additional permission checks in the subscription management function.
Original NVD description (English source)
The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the user_subscription_cancel() function in all versions up to, and including, 4.3.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to cancel any user's subscription pack, including administrators.

