Wp User Frontend

wp_user_frontend

Vendor: Wedevs • 3 CVEs

CVEs (3)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-38693 1Wedevs 1Wp User Frontend Sep 13, 2024 Aug 29, 2024 N/A· v4 7.2 HIGH· v3 N/A· v2 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in weDevs WP User Frontend allows SQL Injection.This issue affects WP User Frontend: from n/a through 4.0.7.
CVE-2021-24649 1Wedevs 1Wp User Frontend Apr 30, 2025 Nov 21, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 The WP User Frontend WordPress plugin before 3.5.29 uses a user supplied argument called urhidden in its registration form, which contains the role for the account to be created with, encrypted via wpuf_encryption(). Thi...Show more The WP User Frontend WordPress plugin before 3.5.29 uses a user supplied argument called urhidden in its registration form, which contains the role for the account to be created with, encrypted via wpuf_encryption(). This could allow an attacker having access to the AUTH_KEY and AUTH_SALT constant (via an arbitrary file access issue for example, or if the blog is using the default keys) to create an account with any role they want, such as adminShow less
CVE-2021-25076 1Wedevs 1Wp User Frontend Nov 21, 2024 Jan 24, 2022 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 The WP User Frontend WordPress plugin before 3.5.26 does not validate and escape the status parameter before using it in a SQL statement in the Subscribers dashboard, leading to an SQL injection. Due to the lack of sanit...Show more The WP User Frontend WordPress plugin before 3.5.26 does not validate and escape the status parameter before using it in a SQL statement in the Subscribers dashboard, leading to an SQL injection. Due to the lack of sanitisation and escaping, this could also lead to Reflected Cross-Site ScriptingShow less