Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total4
Critical1
High2
Medium1
Reset
Showing 1-4 of 4 records
Threat Entry Updated 2026-04-15

CVE-2026-1565 - Wp User Frontend Plugin

The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the 'WPUF_Admin_Settings::check_filetype_and_ext' function and in the 'Admin_Tools::check_filetype_and_ext' function in all versions up to, and including, 4.2.8. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

PLUGIN Wp User Frontend

CVE-2026-1565

HIGH CVSS 8.8 2026-02-26
Open Full Technical Breakdown
Threat Entry Updated 2026-01-02

CVE-2025-14047 - Wp User Frontend Plugin

The Registration, User Profile, Membership, Content Restriction, User Directory, and Frontend Post Submission – WP User Frontend plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'Frontend_Form_Ajax::submit_post' function in all versions up to, and including, 4.2.4. This makes it possible for unauthenticated attackers to delete attachment.

PLUGIN Wp User Frontend

CVE-2025-14047

MEDIUM CVSS 5.3 2026-01-02
Open Full Technical Breakdown
Threat Entry Updated 2025-04-30

CVE-2021-24649 - Wp User Frontend Plugin

The WP User Frontend WordPress plugin before 3.5.29 uses a user supplied argument called urhidden in its registration form, which contains the role for the account to be created with, encrypted via wpuf_encryption(). This could allow an attacker having access to the AUTH_KEY and AUTH_SALT constant (via an arbitrary file access issue for example, or if the blog is using the default keys) to create an account with any role they want, such as admin

PLUGIN Wp User Frontend

CVE-2021-24649

CRITICAL CVSS 9.8 2022-11-21
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-25076 - Wp User Frontend Plugin

The WP User Frontend WordPress plugin before 3.5.26 does not validate and escape the status parameter before using it in a SQL statement in the Subscribers dashboard, leading to an SQL injection. Due to the lack of sanitisation and escaping, this could also lead to Reflected Cross-Site Scripting

PLUGIN Wp User Frontend

CVE-2021-25076

HIGH CVSS 8.8 2022-01-24
Open Full Technical Breakdown
Scroll to top