CVE-2026-5459
WordPress Analyse et atténuation des vulnérabilités

Aperçu

CVE-2026-5459 is an Insecure Direct Object Reference (IDOR) vulnerability in the "User Frontend: AI Powered Frontend Posting, User Directory, Profile Builder, Membership & User Registration" plugin for WordPress, developed by weDevs. It affects all versions up to and including 4.3.1, and was published on July 8, 2026. The flaw allows unauthenticated attackers to activate a free subscription pack for any user, overwriting their existing paid subscription. It carries a CVSS v3.1 base score of 5.3 (Medium) (GitHub Advisory, Wordfence).

Détails techniques

The vulnerability is classified as CWE-639 (Authorization Bypass Through User-Controlled Key) and resides in the payment_page() function of the plugin. The user_id parameter accepted by this function is not validated server-side, meaning any caller — including unauthenticated users — can supply an arbitrary user_id value to target any account on the WordPress site. Because no authorization check verifies that the requester owns or has permission to modify the target user's subscription, an attacker can manipulate the subscription state of any user by simply crafting a request with the desired user_id (GitHub Advisory, Wordfence).

Impact

Successful exploitation allows an unauthenticated remote attacker to downgrade any user's paid subscription to a free tier, causing immediate loss of paid features for that user. The integrity impact is limited to subscription status manipulation — there is no evidence of confidentiality breach (data exposure) or availability impact (service disruption). While the attack does not enable code execution or account takeover, it can cause significant business disruption for site operators and financial harm to affected subscribers (GitHub Advisory, Wordfence).

Étapes d’exploitation

  1. Reconnaissance: Identify WordPress sites running the weDevs "User Frontend" plugin (versions ≤ 4.3.1) via passive scanning tools (e.g., WPScan, Shodan) or by checking publicly accessible plugin metadata.
  2. Identify target user IDs: Enumerate valid WordPress user IDs through publicly available endpoints (e.g., the WordPress REST API at /wp-json/wp/v2/users) or by observing user-facing profile URLs.
  3. Craft malicious request: Send an HTTP request to the plugin's payment page endpoint, supplying an arbitrary user_id value corresponding to the target user (e.g., a paid subscriber) without any authentication credentials.
  4. Trigger subscription downgrade: The payment_page() function processes the unvalidated user_id and activates a free subscription pack for the targeted account, overwriting their existing paid subscription.
  5. Confirm impact: Verify that the targeted user's paid features have been revoked by observing changes in their subscription status (GitHub Advisory, Wordfence).

Indicateurs de compromis

  • Network: Unusual or repeated unauthenticated HTTP requests to the plugin's payment page endpoint (e.g., URLs containing payment_page or related wp-user-frontend routes) with varying user_id parameter values.
  • Logs: WordPress access logs showing unauthenticated POST/GET requests to the payment page function with sequential or arbitrary user_id values from a single or rotating IP address.
  • Application: Unexpected subscription downgrades for multiple users in a short time window, particularly paid users being switched to free plans without any user-initiated action; review subscription change logs in the plugin's admin panel.

Atténuation et solutions de contournement

Site administrators should update the weDevs User Frontend plugin to a version beyond 4.3.1, which includes a fix for the missing user_id validation (patch committed at WordPress Plugin Changeset 3514258). As a temporary workaround, consider restricting access to the payment page endpoint via web application firewall (WAF) rules or server-level controls until the update can be applied. Additionally, implement server-side authorization checks to ensure that only authenticated users can modify their own subscription status (GitHub Advisory, Wordfence).

Ressources additionnelles


SourceCe rapport a été généré à l’aide de l’IA

Apparenté WordPress Vulnérabilités:

Identifiant CVE

Sévérité

Score

Technologies

Nom du composant

Exploit CISA KEV

A corrigé

Date de publication

CVE-2026-5523HIGH8.8
  • divi-form-builder
NonOuiJul 09, 2026
CVE-2026-6820HIGH7.2
  • vikbooking
NonOuiJul 08, 2026
CVE-2026-6740MEDIUM6.4
  • the-plus-addons-for-block-editor
NonOuiJul 08, 2026
CVE-2026-6459MEDIUM6.4
  • essential-addons-for-elementor-lite
NonOuiJul 08, 2026
CVE-2026-5459MEDIUM5.3
  • wp-user-frontend
NonOuiJul 08, 2026

Évaluation gratuite des vulnérabilités

Évaluez votre posture de sécurité dans le cloud

Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.

Demander une évaluation

Obtenez une démo personnalisée

Prêt(e) à voir Wiz en action ?

"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
David EstlickRSSI
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
Adam FletcherChef du service de sécurité
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."
Greg PoniatowskiResponsable de la gestion des menaces et des vulnérabilités