CVE Catalog

CVE-2026-4058

MediumCVSS 4.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.03%

8th percentile - higher than 8% of all known CVEs

Summary

The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the user_subscription_cancel() function. This allows authenticated attackers with Subscriber-level access and above to cancel any user's subscription pack, including administrators.

Risk Assessment

The organization may be at risk of losing control over user subscriptions, potentially leading to unauthorized access to resources and disruption of services.

Recommendation

It is recommended to update the plugin to the latest version to mitigate this vulnerability and implement additional permission checks in the subscription management function.

Original NVD description (English source)

The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the user_subscription_cancel() function in all versions up to, and including, 4.3.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to cancel any user's subscription pack, including administrators.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS