{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-3055", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-03-31T19:27:42.132Z", "datePublished": "2025-06-05T05:23:00.826Z", "dateUpdated": "2026-04-08T17:31:49.338Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:31:49.338Z"}, "affected": [{"vendor": "wedevs", "product": "WP User Frontend Pro", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.1.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP User Frontend Pro plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_avatar_ajax() function in all versions up to, and including, 4.1.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php)."}], "title": "WP User Frontend Pro <= 4.1.3 - Authenticated (Subscriber+) Arbitrary File Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/eeb71c31-9e56-4b58-9cfc-a97f6892cc2b?source=cve"}, {"url": "https://headwayapp.co/wp-user-frontend-changelog"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "cweId": "CWE-22", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Friderika Baranyai"}], "timeline": [{"time": "2025-06-04T16:33:56.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-05T13:18:30.203815Z", "id": "CVE-2025-3055", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-05T14:07:57.976Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-3055", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-06-05T13:18:30.203815Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-05T13:18:31.532Z"}}], "cna": {"title": "WP User Frontend Pro <= 4.1.3 - Authenticated (Subscriber+) Arbitrary File Deletion", "credits": [{"lang": "en", "type": "finder", "value": "Friderika Baranyai"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"}}], "affected": [{"vendor": "wedevs", "product": "WP User Frontend Pro", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "4.1.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-06-04T16:33:56.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/eeb71c31-9e56-4b58-9cfc-a97f6892cc2b?source=cve"}, {"url": "https://headwayapp.co/wp-user-frontend-changelog"}], "descriptions": [{"lang": "en", "value": "The WP User Frontend Pro plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_avatar_ajax() function in all versions up to, and including, 4.1.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php)."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:31:49.338Z"}}}, "cveMetadata": {"cveId": "CVE-2025-3055", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:31:49.338Z", "dateReserved": "2025-03-31T19:27:42.132Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-06-05T05:23:00.826Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WP User Frontend Pro plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_avatar_ajax() function in all versions up to, and including, 4.1.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php)."}, {"lang": "es", "value": "El complemento WP User Frontend Pro para WordPress es vulnerable a la eliminaci\u00f3n arbitraria de archivos debido a una validaci\u00f3n insuficiente de la ruta de archivo en la funci\u00f3n delete_avatar_ajax() en todas las versiones hasta la 4.1.3 incluida. Esto permite que atacantes autenticados, con acceso de suscriptor o superior, eliminen archivos arbitrarios en el servidor, lo que puede provocar f\u00e1cilmente la ejecuci\u00f3n remota de c\u00f3digo al eliminar el archivo correcto (como wp-config.php)."}], "id": "CVE-2025-3055", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-06-05T06:15:26.300", "references": [{"source": "security@wordfence.com", "url": "https://headwayapp.co/wp-user-frontend-changelog"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/eeb71c31-9e56-4b58-9cfc-a97f6892cc2b?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T20:27:03.878379+00:00", "value": {"mitigation_remediation": ["Upgrade WP User Frontend Pro to the latest version, at minimum 4.2.0, to remove the deletion flaw.", "Restrict the delete avatar functionality for Subscriber accounts, for example by disabling the feature or limiting role access to the AJAX endpoint until an update can be applied.", "Ensure the WordPress install runs with the least privileged filesystem permissions, back up critical configuration files, and monitor server logs for unexpected file deletion activity."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution via arbitrary file deletion"}, "threat_synthesis": {"affected_systems": "WP User Frontend Pro (wedevs) versions up to and including 4.1.3 on WordPress sites. The issue affects all installations that have been running these versions without an upgrade.", "description_and_impact": "The vulnerability appears in the delete_avatar_ajax() function of WP User Frontend Pro, where user-supplied file paths are not properly validated before deletion. This allows an authenticated attacker with Subscriber role or higher to specify any filesystem path, leading to arbitrary file removal. Deleting critical files such as wp-config.php can compromise WordPress configuration and permit execution of malicious code. The flaw represents a classic path traversal and deletion abuse (CWE-22).", "risk_and_exploitability": "The CVSS score of 8.1 marks this as a high\u2011severity vulnerability. With an EPSS score of 6%, there is a moderate probability of exploitation. The flaw is not listed in the CISA KEV catalog, but its impact\u2014remote code execution through file deletion\u2014makes it a significant risk. An attacker must be able to authenticate to the WordPress site as a Subscriber or higher and then issue a crafted AJAX request to the delete_avatar_ajax() endpoint. Once the request is processed, any file on the server may be deleted, exposing the system to further compromise."}}}}, "created": "2026-04-21T20:30:27.402244+00:00", "updated": "2026-04-21T20:30:27.402253+00:00", "vendors": []}