<0.1% probability · 17.4th percentile — 2026-05-08
Affected versions
User Frontend plugin <= 4.3.1
Summary
This high-severity deserialization vulnerability affects the popular User Frontend WordPress plugin. Insufficient input validation of the wpuf_files parameter during form submission allows authenticated attackers with low-privilege subscriber access to inject arbitrary PHP objects. If a suitable POP chain is present, this can lead to full remote code execution or file deletion.
Remediation
Update the User Frontend plugin to a version newer than 4.3.1 immediately. Remove the plugin from sites where it is not actively in use. Restrict low-privilege user permissions to reduce the attack surface for this flaw.
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.