
PEACH
Un cadre d’isolation des locataires
CVE-2026-5459 is an Insecure Direct Object Reference (IDOR) vulnerability in the "User Frontend: AI Powered Frontend Posting, User Directory, Profile Builder, Membership & User Registration" plugin for WordPress, developed by weDevs. It affects all versions up to and including 4.3.1, and was published on July 8, 2026. The flaw allows unauthenticated attackers to activate a free subscription pack for any user, overwriting their existing paid subscription. It carries a CVSS v3.1 base score of 5.3 (Medium) (GitHub Advisory, Wordfence).
The vulnerability is classified as CWE-639 (Authorization Bypass Through User-Controlled Key) and resides in the payment_page() function of the plugin. The user_id parameter accepted by this function is not validated server-side, meaning any caller — including unauthenticated users — can supply an arbitrary user_id value to target any account on the WordPress site. Because no authorization check verifies that the requester owns or has permission to modify the target user's subscription, an attacker can manipulate the subscription state of any user by simply crafting a request with the desired user_id (GitHub Advisory, Wordfence).
Successful exploitation allows an unauthenticated remote attacker to downgrade any user's paid subscription to a free tier, causing immediate loss of paid features for that user. The integrity impact is limited to subscription status manipulation — there is no evidence of confidentiality breach (data exposure) or availability impact (service disruption). While the attack does not enable code execution or account takeover, it can cause significant business disruption for site operators and financial harm to affected subscribers (GitHub Advisory, Wordfence).
/wp-json/wp/v2/users) or by observing user-facing profile URLs.user_id value corresponding to the target user (e.g., a paid subscriber) without any authentication credentials.payment_page() function processes the unvalidated user_id and activates a free subscription pack for the targeted account, overwriting their existing paid subscription.payment_page or related wp-user-frontend routes) with varying user_id parameter values.user_id values from a single or rotating IP address.Site administrators should update the weDevs User Frontend plugin to a version beyond 4.3.1, which includes a fix for the missing user_id validation (patch committed at WordPress Plugin Changeset 3514258). As a temporary workaround, consider restricting access to the payment page endpoint via web application firewall (WAF) rules or server-level controls until the update can be applied. Additionally, implement server-side authorization checks to ensure that only authenticated users can modify their own subscription status (GitHub Advisory, Wordfence).
Source: Ce rapport a été généré à l’aide de l’IA
Évaluation gratuite des vulnérabilités
Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.
Obtenez une démo personnalisée
"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."