{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2233", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-09T03:06:29.893Z", "datePublished": "2026-03-15T02:19:14.723Z", "dateUpdated": "2026-04-08T17:28:44.765Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:28:44.765Z"}, "affected": [{"vendor": "wedevs", "product": "User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.2.8", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the draft_post() function in all versions up to, and including, 4.2.8. This makes it possible for unauthenticated attackers to modify arbitrary posts (e.g. unpublish published posts and overwrite the contents) via the 'post_id' parameter."}], "title": "User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration <= 4.2.8 - Missing Authorization to Unauthenticated Arbitrary Post Modification via 'post_id' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e0a278a3-f229-4673-8b3e-5b68f383dcc7?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3468395/wp-user-frontend"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Supakiad S."}], "timeline": [{"time": "2026-02-09T03:22:55.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-14T14:13:22.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-16T19:11:22.434917Z", "id": "CVE-2026-2233", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T19:12:15.863Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2233", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-16T19:11:22.434917Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T19:11:26.891Z"}}], "cna": {"title": "User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration <= 4.2.8 - Missing Authorization to Unauthenticated Arbitrary Post Modification via 'post_id' Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Supakiad S."}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "wedevs", "product": "User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "4.2.8"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-09T03:22:55.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-03-14T14:13:22.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e0a278a3-f229-4673-8b3e-5b68f383dcc7?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3468395/wp-user-frontend"}], "descriptions": [{"lang": "en", "value": "The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the draft_post() function in all versions up to, and including, 4.2.8. This makes it possible for unauthenticated attackers to modify arbitrary posts (e.g. unpublish published posts and overwrite the contents) via the 'post_id' parameter."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:28:44.765Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2233", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:28:44.765Z", "dateReserved": "2026-02-09T03:06:29.893Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-15T02:19:14.723Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the draft_post() function in all versions up to, and including, 4.2.8. This makes it possible for unauthenticated attackers to modify arbitrary posts (e.g. unpublish published posts and overwrite the contents) via the 'post_id' parameter."}, {"lang": "es", "value": "El plugin User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership &amp; User Registration para WordPress es vulnerable a la modificaci\u00f3n no autorizada de datos debido a una comprobaci\u00f3n de capacidad faltante en la funci\u00f3n draft_post() en todas las versiones hasta la 4.2.8, inclusive. Esto hace posible que atacantes no autenticados modifiquen publicaciones arbitrarias (por ejemplo, despublicar publicaciones ya publicadas y sobrescribir el contenido) a trav\u00e9s del par\u00e1metro 'post_id'."}], "id": "CVE-2026-2233", "lastModified": "2026-04-22T21:30:26.497", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-16T14:19:28.950", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3468395/wp-user-frontend"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e0a278a3-f229-4673-8b3e-5b68f383dcc7?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.2.8]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration", "source": "cna", "vendor": "wedevs"}, "product": "user_frontend_ai_powered_frontend_posting,_user_directory,_profile,_membership_&_user_registration", "vendor": "wedevs"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-16T23:41:43.142564+00:00", "value": {"mitigation_remediation": ["Upgrade the User Frontend plugin to the latest available release that addresses the missing authorization check.", "If an update cannot be applied immediately, deactivate or delete the plugin to prevent unauthorized post modifications.", "Monitor site logs and audit post content for unintended changes to maintain content integrity."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Data Modification"}, "threat_synthesis": {"affected_systems": "All installations of the WordPress plugin \"User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration\" from wedevs that run version 4.2.8 or earlier are affected. No specific fixed version is mentioned in the CVE data, so any deployment of these or older versions is considered vulnerable.", "description_and_impact": "The User Frontend plugin for WordPress (wedevs) contains a missing capability check within the draft_post() function in all releases up to version 4.2.8. Due to this omission, any user, including those not authenticated, can send requests that alter posts by specifying a post_id value. This allows attackers to change post content, unpublish posts, or overwrite existing data. The flaw is categorized as CWE\u2011862, representing a missing authorization weakness.", "risk_and_exploitability": "The CVSS score is 5.3, indicating moderate severity. The EPSS score is reported as less than 1\u202f%, suggesting a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Attackers would need only to craft an HTTP request containing a valid post_id parameter and submit it to the plugin\u2019s draft_post endpoint; no authentication is required. While the likelihood of exploitation appears low, the potential impact of content tampering or removal warrants immediate attention."}}}}, "created": "2026-03-16T09:22:12.523799+00:00", "updated": "2026-03-23T13:39:00.214319+00:00", "vendors": ["wedevs", "wedevs$PRODUCT$user_frontend_ai_powered_frontend_posting,_user_directory,_profile,_membership_&_user_registration", "wordpress", "wordpress$PRODUCT$wordpress"]}