{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32485", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-12T11:11:55.348Z", "datePublished": "2026-03-25T16:14:58.069Z", "dateUpdated": "2026-04-29T09:52:00.195Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "wp-user-frontend", "product": "WP User Frontend", "vendor": "weDevs", "versions": [{"changes": [{"at": "4.2.9", "status": "unaffected"}], "lessThanOrEqual": "<= 4.2.8", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nguyen Ba Khanh | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:36.840Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in weDevs WP User Frontend wp-user-frontend allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects WP User Frontend: from n/a through <= 4.2.8.</p>"}], "value": "Missing Authorization vulnerability in weDevs WP User Frontend wp-user-frontend allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP User Frontend: from n/a through <= 4.2.8."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:52:00.195Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/wp-user-frontend/vulnerability/wordpress-wp-user-frontend-plugin-4-2-8-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress WP User Frontend plugin <= 4.2.8 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T19:00:14.379915Z", "id": "CVE-2026-32485", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T19:06:17.049Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-32485", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T19:00:14.379915Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T19:00:03.993Z"}}], "cna": {"title": "WordPress WP User Frontend plugin <= 4.2.8 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Nguyen Ba Khanh | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "weDevs", "product": "WP User Frontend", "versions": [{"status": "affected", "changes": [{"at": "4.2.9", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "<= 4.2.8"}], "packageName": "wp-user-frontend", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-03-25T17:12:36.840Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/wp-user-frontend/vulnerability/wordpress-wp-user-frontend-plugin-4-2-8-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in weDevs WP User Frontend wp-user-frontend allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP User Frontend: from n/a through <= 4.2.8.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in weDevs WP User Frontend wp-user-frontend allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects WP User Frontend: from n/a through <= 4.2.8.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:52:00.195Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32485", "state": "PUBLISHED", "dateUpdated": "2026-04-29T09:52:00.195Z", "dateReserved": "2026-03-12T11:11:55.348Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:14:58.069Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in weDevs WP User Frontend wp-user-frontend allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP User Frontend: from n/a through <= 4.2.8."}, {"lang": "es", "value": "Vulnerabilidad por ausencia de autorizaci\u00f3n en weDevs WP User Frontend wp-user-frontend permite explotar niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a WP User Frontend: desde n/a hasta &lt;= 4.2.8."}], "id": "CVE-2026-32485", "lastModified": "2026-04-29T10:17:13.783", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "audit@patchstack.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:16:59.593", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/wp-user-frontend/vulnerability/wordpress-wp-user-frontend-plugin-4-2-8-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.2.8]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "WP User Frontend", "source": "cna", "vendor": "weDevs"}, "product": "wp_user_frontend", "vendor": "wedevs"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-26T21:42:20.453576+00:00", "value": {"mitigation_remediation": ["Upgrade WP User Frontend to a version newer than 4.2.8 when it becomes available", "If an update is not yet available, restrict the plugin\u2019s functionality by removing incorrect permission levels or disabling front\u2011end access until a patch is released", "Monitor the plugin\u2019s official website and security advisories for any CVE\u20112026\u201132485 related patches"], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Access via Broken Access Control"}, "threat_synthesis": {"affected_systems": "All installations of the weDevs WP User Frontend plugin from the earliest releases through version 4.2.8 are affected. WordPress sites that use any of these plugin versions are vulnerable to the broken access control. The plugin is widely used for front\u2011end user management.", "description_and_impact": "A missing authorization check in the WP User Frontend plugin allows an attacker to exploit incorrectly configured access control security levels, giving unauthorized access to protected plugin features or data. The flaw is defined as CWE-862 and can lead to data disclosure or modification if the attacker succeeds.", "risk_and_exploitability": "The vulnerability has a CVSS score of 7.5, indicating moderate\u2011to\u2011high severity, and an EPSS score of less than 1%, suggesting a low probability of current exploitation. It is not listed in the CISA KEV catalog. The likely attack vector is remote via the web; an attacker only needs network access to the WordPress site and the ability to interact with the front\u2011end interface. No public exploit code is reported, but the simple missing check could be leveraged with a custom script."}}}}, "created": "2026-03-25T21:43:41.195526+00:00", "updated": "2026-03-27T09:31:10.192818+00:00", "vendors": ["wedevs", "wedevs$PRODUCT$wp_user_frontend", "wordpress", "wordpress$PRODUCT$wordpress"]}