mediumCVE-2026-12406

WP User Frontend Media Attachment Deletion Authorization Bypass Vulnerability

The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.3.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to delete arbitrary media attachments whose post_author is 0, such as guest and registration-form uploads, via the wpuf_file_del AJAX action. This is exploitable by unauthenticated visitors on any site where a WPUF shortcode is rendered on a front-end page, as this causes the valid wpuf_nonce value to be localized into publicly accessible JavaScript objects (wpuf_upload and wpuf_frontend), satisfying the sole access control gate.

ProductUser Frontend
CVSS5.3
EPSS0.00323
UpdatedJuly 10, 2026

Quick answer

WP User Frontend User Frontend should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.

Who is affected

Affected versions

  • User Frontend up to and including 4.3.7

Fixed versions

  • Apply the latest vendor-supported patched version.

How to fix it

WP User Frontend is affected by CVE-2026-12406. Versions up to 4.3.7 can allow unauthorized media deletion because unauthenticated visitors can delete media attachments whose post_author is 0 when a WPUF shortcode exposes the nonce. Patch the plugin and restore missing files if needed.

  1. Inventory WordPress sites using WP User Frontend.
  2. Update WP User Frontend beyond 4.3.7 when a fixed release is available.
  3. Disable public WPUF forms or the vulnerable file deletion endpoint until patched.
  4. Review upload directories and media library records for deleted guest or registration-form attachments.
  5. Restore missing media from backups if business-critical files were deleted.
  6. Block the vulnerable AJAX action with WAF/server rules during remediation.
  7. Clear caches and regenerate pages that reference restored media.

Scan now. Google sign-in is only needed to unlock fix guidance.

Verify the fix

  • Confirm WP User Frontend is no longer version 4.3.7 or older.
  • Attempt a safe media deletion request as an unauthenticated user in staging and confirm it is denied.
  • Confirm legitimate users can still delete only their permitted uploads.
  • Review web logs for wpuf_file_del attempts after patching.
  • Run a Fixnx scan and verify public WordPress exposure after remediation.

Related categories

Trusted references

FAQ

What is affected by CVE-2026-12406?

WP User Frontend User Frontend versions listed as affected should be reviewed: User Frontend up to and including 4.3.7.

What should I fix first?

Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.

How do I confirm the fix worked?

Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.

Why can this risk appear in multiple categories?

A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.