{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13419", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-19T14:56:27.616Z", "datePublished": "2026-01-07T09:21:00.404Z", "dateUpdated": "2026-04-08T17:05:06.354Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:05:06.354Z"}, "affected": [{"vendor": "aharonyan", "product": "Guest posting / Frontend Posting / Front Editor \u2013 WP Front User Submit", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.0.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Guest posting / Frontend Posting / Front Editor \u2013 WP Front User Submit plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the '/wp-json/bfe/v1/revert' REST API endpoint in all versions up to, and including, 5.0.0. This makes it possible for unauthenticated attackers to delete arbitrary media attachments."}], "title": "Guest posting / Frontend Posting / Front Editor \u2013 WP Front User Submit <= 5.0.0 - Missing Authorization to Unauthenticated Media Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/874b3448-df4c-49c4-bf4f-435cf48f6305?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3432207%40front-editor&new=3432207%40front-editor&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Md. Moniruzzaman Prodhan"}], "timeline": [{"time": "2026-01-06T20:25:47.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-07T15:05:48.442031Z", "id": "CVE-2025-13419", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-07T15:05:54.593Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13419", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-07T15:05:48.442031Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-07T15:05:51.550Z"}}], "cna": {"title": "Guest posting / Frontend Posting / Front Editor \u2013 WP Front User Submit <= 5.0.0 - Missing Authorization to Unauthenticated Media Deletion", "credits": [{"lang": "en", "type": "finder", "value": "Md. Moniruzzaman Prodhan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "aharonyan", "product": "Guest posting / Frontend Posting / Front Editor \u2013 WP Front User Submit", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "5.0.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-06T20:25:47.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/874b3448-df4c-49c4-bf4f-435cf48f6305?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3432207%40front-editor&new=3432207%40front-editor&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Guest posting / Frontend Posting / Front Editor \u2013 WP Front User Submit plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the '/wp-json/bfe/v1/revert' REST API endpoint in all versions up to, and including, 5.0.0. This makes it possible for unauthenticated attackers to delete arbitrary media attachments."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:05:06.354Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13419", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:05:06.354Z", "dateReserved": "2025-11-19T14:56:27.616Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-07T09:21:00.404Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Guest posting / Frontend Posting / Front Editor \u2013 WP Front User Submit plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the '/wp-json/bfe/v1/revert' REST API endpoint in all versions up to, and including, 5.0.0. This makes it possible for unauthenticated attackers to delete arbitrary media attachments."}, {"lang": "es", "value": "El plugin Guest posting / Frontend Posting / Front Editor \u2013 WP Front User Submit para WordPress es vulnerable a la modificaci\u00f3n no autorizada de datos debido a una comprobaci\u00f3n de capacidad faltante en el endpoint de la API REST '/wp-json/bfe/v1/revert' en todas las versiones hasta la 5.0.0, inclusive. Esto hace posible que atacantes no autenticados eliminen archivos adjuntos multimedia arbitrarios."}], "id": "CVE-2025-13419", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-07T12:16:47.880", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3432207%40front-editor&new=3432207%40front-editor&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/874b3448-df4c-49c4-bf4f-435cf48f6305?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T16:37:10.335338+00:00", "value": {"mitigation_remediation": ["Upgrade the Guest posting/Frontend Posting/Front Editor \u2013 WP Front User Submit plugin to the latest available release, which incorporates an authorization check on the /wp-json/bfe/v1/revert endpoint.", "If an immediate update is not possible, restrict access to the /wp-json/bfe/v1/revert endpoint for unauthenticated users by implementing a rewrite rule, using a WordPress security plugin, or configuring a web\u2011application firewall to deny DELETE requests from non\u2011logged\u2011in accounts.", "Review the WordPress role configuration to ensure that only users with appropriate delete capabilities (e.g., administrators or editors) can delete media items, and remove any unnecessary delete permissions granted to lower\u2011privileged roles."], "summary": {"action": "Apply patch", "impact": "Unauthenticated deletion of media attachments via a REST endpoint"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Aharonyan Guest posting / Frontend Posting / Front Editor \u2013 WP Front User Submit plugin for WordPress in all releases up to and including version 5.0.0. No other vendors or product variants are listed in the CNA data.", "description_and_impact": "The WP Front User Submit plugin contains a missing capability check on the '/wp-json/bfe/v1/revert' REST API endpoint that allows any unauthenticated attacker to delete arbitrary media attachments from the WordPress media library. This vulnerability can be used to remove important files, disrupt site functionality, or sabotage the website\u2019s content integrity. The weakness is categorized as a missing authorization problem (CWE\u2011862).", "risk_and_exploitability": "The CVSS score of 5.3 indicates a moderate risk, while the EPSS score of less than 1% suggests a very low probability that the flaw will be actively exploited today. The vulnerability is not listed in the CISA KEV catalog. An attacker can target the flaw by sending a crafted request directly to the /wp-json/bfe/v1/revert endpoint without needing authentication, thereby triggering the deletion operation."}}}}, "created": "2026-01-08T09:49:26.395707+00:00", "updated": "2026-04-21T16:45:15.214850+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}